The importance of access controls cannot be overstated. It is important to have a good understanding of how to control who uses squid. When access controls are created you will use two components. The first is the acl which defines, clients, IP Addresses, hostnames, origin port numbers and request methods. Once these are created they are combined with rules for the acls.
Syntax:
1. Define ACL
acl - a unique_name - type(any criterea such as port/src/dst/dstdomain/srcdomain/time_of_day etc)- decission_string
2. Apply ACL using criteria
http_access - permission(allow|deny) - acl unique name [! means negative rule]
Eg:-
acl Safe_port port 80
http_access deny !Safe_ports (denies all the destination port other than port 80)
The acl in the config file is matched by squid from upper to bottom and executes the first found rule for acl.
SCENARIOS BASED ON ACLs
Restricting a single host (192.168.10.57) using ACL
# vim squid.conf
--------
acl badhost src 192.168.10.57
http_access allow !badhost
or
http_access deny badhost
--------
# reload squid
Restricting Multiple hosts
# vim squid.conf
--------
acl badhosts src 192.168.10.50 192.168.10.51 192.168.10.52 192.168.10.53
http_access allow !badhosts
# or use the following
http_access deny badhosts
--------
# reload squid
ACLs Lists
Usually ACLs can be defined in 2 ways.
1. redefining the same rules on other lines
eg:- acl Safe_ports are defined in such a way
----------
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 70
http_access deny ! Safe_ports
----------
2. Defining the list to a single file.
# vim /etc/squid/badhosts
-------
192.168.1.50
192.168.1.51
192.168.1.52
192.168.1.53
-------
# vim squid.conf
-------
acl badhosts src "/etc/squid/badhosts"
http_access deny badhosts
-------
# reload squid
Here we made the acl to lookup in the text file for parsing the request.
Define ACL based on TIME:
Squid recognizes using the follwoing syntax
Day of the week (DOW)
S = Sunday
M = Monday
T = Tuesday
W = Wednesday
H = tHursday
F = Friday
A = sAturday
Hours and Minutes
hh:mm-hh:mm (We have to use the 24Hrs time format)
Restrict access between working/buisness hours
syntax:
acl work_hours time [days_of_week] [hours_of_day]
We can illustrate it with the following examples.
To deny access to squid between 9.30AM to 5PM everyday we can use the following syntax
#vim squid.conf
-----
acl work_time time 09:30-17:00
http_access deny work_time
-----
# reload squid
This will deny all the request to squid between the time 9.30 to 5.00
To deny access to squid between 9.30AM to 12:20PM and 2:00PM to 6:00PM everyday we can use the following syntax
#vim squid.conf
-----
acl work_time time 09:30-12:20
http_access deny work_time
acl work_time2 time 14:00-18:00
http_access deny work_time2
-----
# reload squid
This will deny the internet access in the given time period 9.30AM to 12:20PM and 2:00PM to 6:00PM everyday. If we need to bypass this rule to anyother users, define a rule that permits the access above this ACL.
To deny access to squid between 9.30AM to 5PM on Monday Wednesday Thursday Friday and Saturday we can use the following syntax
#vim squid.conf
-----
acl work_time time MWHFA 09:30-17:00
http_access deny work_time
-----
# reload squid
This will deny access on MWHFA weekdays between 9.30AM to 5PM
Defining the access to destination domains using ACL.
Two ways can be used to obtain the result
- By creating the rules inside the squid.conf
- By creating a List of destination domains in text file
# vim squid.conf
------
acl time_waste_sites dstdomain .yahoo.com
acl time_waste_sites dstdomain .msn.com
acl time_waste_sites dstdomain .orkut.com
acl time_waste_sites dstdomain .ebay.com
http_access deny time_waste_sites
------
# reload squid
This will deny all the website of the domains defined in the squid.conf. eg:- mail.yahoo.com, app.yahoo.com ebay.com, test.ebay.com etc.
2. Deny destination domains By creating the list of destination files
# vim /etc/squid/time_waste_domains.txt
-----
.msn.com
.orkut.com
.ebay.com
-----
# vim squid.conf
-----
acl time_waste dstdomain "/etc/squid/time_waste_domains.txt"
http_access deny time_waste
-----
# reload squid
ACL ANDED RULES.
This is used to combine the ACL rules using the AND logic. For example this is use full for defining the rule to deny the access to certain websites during business hours.
Denying Certain Sites At Given Time using ACL ANDing Rule:
# vim squid.conf
-----------
acl time_waste time MWHFA 09:30-17:00
acl waste_domain dstdomain "/etc/squid/time_waste_domains.txt"
http_access deny time_waste waste_domain
-----------
# reload squid
This will deny the access to the sites defined in the file /etc/squid/time_waste_domains.txt during the time 09:30-17:00 on DOW M,W,H,F & A
Deny certain sites At given time for a number of users using ACL anding rule:
# vim squid.conf
-----------
acl lazy_workers src 192.168.233.0/24
acl time_waste time MWHFA 09:30-17:00
acl waste_domain dstdomain "/etc/squid/time_waste_domains.txt"
http_access deny lazy_workers time_waste waste_domain
-----------
# reload squid
This will deny the access to the sites defined in the file /etc/squid/time_waste_domains.txt during the time 09:30-17:00 on DOW M,W,H,F & A for the hosts having given IP range.
Anding Using Criteria defnition:
Scenario:
We have to create a rule on the casual websites access during the business hours.
In the above scenario we have to consider certain criterias
1. Work Hours = MTWHF 9:00-18:00
2. Source Subnets = 192.168.1.0/24
3. Permit access to search domains = google.com should allow
So now we shall begin to define the ACL to meet above requirement.
# vim squid.conf
----------
#Acl to allow the search domains
acl work_sites dstdomain .google.com
http_access allow work_sites
# ACL to deny all the sites other than work_sites for lazy_guys at working hours in week days
acl lazy_guys src 192.168.1.0/24
acl work_hours time MTWHF 09:00-18:00
http_access deny lazy_guys work_hours
----------
# reload squid
This will only allow the google.com for the lazy_guys at week days from 9:00 to 6:00 pm. But the access to other sites will be given, for the time which is not defined here (non office hours and week ends)
Note:-
The ANDed rules in the ACLs will be working only if both the criteria matches, i.e, the request from the source IP (192.168.1.0/24) at defined time (Mon-Fri 9:00 to 6:00 pm). If this not matches then the default rule will be applied.
No comments:
Post a Comment
tag ur valuable ideas below