Книга: Fedora™ Unleashed, 2008 edition

Sample Configurations

Sample Configurations

To help you fully understand how Squid access control works, and also to help give you a head start developing your own rules, the following are some ACL lines you can try. Each line is preceded with one or more comment lines (starting with a #) explaining what it does:

# include the domains news.bbc.co.uk and slashdot.org
# and not newsimg.bbc.co.uk or www.slashdot.org.
acl newssites dstdomain news.bbc.co.uk slashdot.org
# include any subdomains or bbc.co.uk or slashdot.org
acl newssites dstdomain .bbc.co.uk .slashdot.org
# include only sites located in Canada
acl canadasites dstdomain .ca
# include only working hours
acl workhours time MTWHF 9:00-18:00
# include only lunchtimes
acl lunchtimes time MTWHF 13:00-14:00
# include only weekends
acl weekends time AS 00:00-23:59
# include URLs ending in ".zip". Note: the is important,
#  because "." has a special meaning otherwise
acl zipfiles url_regex -i .zip$
# include URLs starting with https
acl httpsurls url_regex -i ^https
# include all URLs that match "hotmail"
url_regex hotmail url_regex -i hotmail
# include three specific IP addresses
acl directors src 10.0.0.14 10.0.0.28 10.0.0.31
# include all IPs from 192.168.0.0 to 192.168.0.255
acl internal src 192.168.0.0/24
# include all IPs from 192.168.0.0 to 192.168.0.255
# and all IPs from 10.0.0.0 to 10.255.255.255
acl internal src 192.168.0.0/24 10.0.0.0/8

When you have your ACL lines in place, you can put together appropriate http_access lines. For example, you might want to use a multilayered access system so that certain users (for example, company directors) have full access, whereas others are filtered. For example:

http_access allow directors
http_access deny hotmail
http_access deny zipfiles
http_access allow internal lunchtimes
http_access deny all

Because Squid matches those lines in order, directors will have full, unfiltered access to the web. If the client IP address is not in the directors list, the two deny lines are processed so that the user cannot download .zip files or read online mail at Hotmail. After blocking those two types of requests, the allow on the fourth line allows internal users to access the web, as long as they do so only at lunch time. The last line (which is highly recommended) blocks all other users from the proxy.

Оглавление книги


Генерация: 1.277. Запросов К БД/Cache: 3 / 0
поделиться
Вверх Вниз