[squid-users] ACL Help Please.

From: Michael Knichel <m.knichel_at_gmail.com>
Date: Wed, 20 Oct 2010 09:53:15 -0400

I am a teacher with my own web connection for my classroom. I wish to
have ACL's that deal with my morning class differently than my
afternoon class. I have created the rules and applied them, but they
do not seem to be working. I have cleared my cache and restarted
squid but no luck.

Some Background: I am trying to make it so my "am_students" can surf
freely any time before 8:45 and after 10:30. That gives them 1/2 hr
before class starts and 15 minutes at the end to check email, forum
posts etc... At 8:45 I want to limit the sites they visit to those
found in "AM_good_sites.txt" ( entries like .somedomain.com and
.otherdomain.net ...) until 10:30. I have created my timed acl, my
dstdomain acl and my proxy_auth acl. However, it seems that this
config is not working. Any insight would be appreciated.

============================================= squid.conf
========================================
#http_port 127.0.0.1:3128 transparent
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
#broken_vary_encoding allow apache
access_log /var/log/squid3/access.log
debug_options ALL,1
#debug_options ALL,1,33,2
dns_nameservers 208.67.222.222 208.67.220.220
#dns_nameservers 24.148.96.1 24.148.96.2
hosts_file /etc/hosts
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/basic.passwd
auth_param basic realm Q3AIT Proxy Authentication
auth_param basic children 10
auth_param basic credentialsttl 3 hour
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#acl all src 0.0.0.0/0.0.0.0
acl all src
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 2349 # hvcc.edu e-library
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl our_nets src 192.168.6.0/24

# added by knichel 20090927 to require authentication
acl myAuth proxy_auth REQUIRED

#The following defines when I DON'T want them surfing freely
acl AIT1_times time MTWHF 08:45-10:30
acl AIT2_times time MTWHF 11:45-13:30

acl teacher proxy_auth {comma separated user list}
acl pm_students proxy_auth {comma separated user list}
acl am_students proxy_auth {comma separated user list}

acl am_good_sites dstdomain "/etc/squid3/AM_good_sites.txt"
acl pm_good_sites dstdomain "/etc/squid3/PM_good_sites.txt"

acl bad_sites dstdomain "/etc/squid3/bad_sites.txt"

acl google_apps url_regex -i q3ait.org

acl GMail browser google.com/a
cache deny QUERY AM_good_sites
cache deny QUERY PM_good_sites
http_access deny manager
http_access allow purge localhost
http_access deny !Safe_ports
http_access deny purge
http_access deny CONNECT !SSL_ports

# Used for updating computers, Allow All during updating...
#http_access allow all

# always allow users to good sites
http_access allow myAuth teacher
http_access deny bad_sites
http_access allow myAuth am_students am_good_sites
http_access allow myAuth pm_students pm_good_sites

http_access allow myAuth google_apps

# Deal with AM and PM separately
http_access allow am_students myAuth !AIT1_times
http_access allow pm_students myAuth !AIT2_times

# now block all other access
http_access deny all

# allow replies from inside requests...
http_reply_access allow all

icp_access allow all
cache_effective_group proxy
visible_hostname localhost
coredump_dir /var/spool/squid3
==============================================================================================

--
Michael Knichel
Received on Wed Oct 20 2010 - 13:53:22 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 21 2010 - 12:00:03 MDT