Squid Time ACL's

[mcdazz]

Hello,

I would like to be able to restrict access to various websites contained in a particular file, but allow access to these websites before work, during lunch time and after work.

The below is what I have come up with, however, I'm not sure if it will work, and if it does, if it's the best approach.

My proposed config is:

acl banned src "/etc/squid/badsites.txt"

acl before_work time MTWHF 00:01-08:00
acl lunch_time time MTWHF 12:00-14:00
acl after_work time MTWHF 17:00-23:59

http_access allow before_work lunch_time after_work banned all
http_access deny all

Feel free to offer any suggestions and correct me if I'm wrong.

Cheers,
Dazz

[Ricky]

You have not specified your own local network ?
You are using "all" for 0.0.0.0 ? It means your proxy is an open proxy ie. anyone can use it, even from internet.

Anyways, you have mentioned that at those hours allow banned sites but you have not mentioned when to ban them ?

Add before your allow directive.

Code: [Select]

http_access deny banned

Though you have to test it.

[mcdazz]

You have not specified your own local network ?
You are using "all" for 0.0.0.0 ? It means your proxy is an open proxy ie. anyone can use it, even from internet.

Anyways, you have mentioned that at those hours allow banned sites but you have not mentioned when to ban them ?

Add before your allow directive.

Code: [Select]

http_access deny banned

Though you have to test it.

Thanks for the response Ricky.

I'm actually using NTLM for authentication, plus the appropriate IP range in my actual squid.conf, so there are no worries about it being an open proxy (plus there is additional security).

The config I posted was just kept simple - more or less throwing an idea out there before I actually tested the changes, just in case I was completely wrong.  :-)

While I've done a bit of reading about how the ACL's should work, there were a couple of things I wasn't 100% sure of and thought I should ask before trying and banging my head against the wall if I got it wrong.

I'll give your recommendation a go and hopefully test it out sometime before the weekend.

Cheers,
Dazz

[mcdazz]

Ok, I was able to have a bit of a play with the system last night as no-one was logged on remotely, and did some testing.

After doing a bit more reading, I found that the config I proposed wouldn't work, specifically, the line:

http_access allow before_work lunch_time after_work banned all

The reason, according to what I read on the visolve website, is that each of those conditions is being processed as an "AND" - which effectively meant that it was checking before_work AND lunch_time AND after_work and trying to match all of those conditions at the same time.

Below is a *partial* copy of my squid.conf that seems to work, although I will properly test it over the weekend.


acl AuthorizedUsers proxy_auth REQUIRED

acl banned dstdomain "/etc/squid/banned.txt"

acl SSL_ports port 443          # https
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports

acl purge method PURGE
acl CONNECT method CONNECT

acl before_work time MTWHF 00:01-08:00
acl lunch_time time MTWHF 12:00-15:00
acl after_work time MTWHF 17:00-23:59

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

#http_access deny banned

http_access allow before_work banned
http_access allow lunch_time banned
http_access allow after_work banned

http_access deny banned

http_access allow AuthorizedUsers

http_access deny all
http_reply_access allow all
icp_access allow all

[Ricky]

Well, I must accept that it has been so many days / years that I am not in touch with linux administrations so I understand that my recommendations can't be sharp as they could have been earlier .

But I am glad that things are working for you.

See you around, you may help others too

[mcdazz]

Well, I must accept that it has been so many days / years that I am not in touch with linux administrations so I understand that my recommendations can't be sharp as they could have been earlier .

But I am glad that things are working for you.

See you around, you may help others too

Will do.  :-)

And thanks for your help.

[mcdazz]

After having a bit of a re-think about the requirements, I decided another approach might be easier and allow a bit more flexibility.

The requirements changed slightly and are roughly as follows:

*  Permanently ban a number of sites (blacklist.acl) ie adult sites
*  Restrict certain sites during working hours (Monday to Friday) (nonwork.acl), but allow access to them during non-working hours (before work, after work, lunch, weekends etc) ie Facebook etc
*  Require AD authentication
*  Allow unrestricted Internet access if you belong to the InetUnrestricted AD Group

The squid.conf is below (with a few things changed for security purposes)

=======================

#Default Squid Settings

http_port            3128
cache_dir ufs /var/spool/squid      100 16 256
cache_mgr            support@our_email_address.com
access_log            /var/log/squid/access.log
cache_effective_group         proxy
ftp_user            root@proxy_name
visible_hostname         proxy_name

hierarchy_stoplist         cgi-bin ?
acl QUERY urlpath_regex         cgi-bin \?
cache deny             QUERY
acl apache rep_header         Server ^Apache
broken_vary_encoding         allow apache
hosts_file            /etc/hosts
refresh_pattern ^ftp:         1440   20%   10080
refresh_pattern .         0   20%   4320


# NTLM
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds

acl all src 192.168.1.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

external_acl_type nt_global_group %LOGIN /usr/lib/squid/wbinfo_group.pl

acl AuthorizedUsers proxy_auth REQUIRED

acl inet_norestrictions external nt_global_group InetUnrestricted

acl blacklist dstdomain "/etc/squid/blacklist.acl"
acl nonwork dstdomain "/etc/squid/nonwork.acl"

acl SSL_ports port 443          # https
acl Safe_ports port 80          # http
acl Safe_ports port 90      # required for a particular user
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports

acl purge method PURGE
acl CONNECT method CONNECT

acl am_work time MTWHF 08:00-12:00
acl pm_work time MTWHF 15:00-17:00

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

http_access allow inet_norestrictions

http_access deny blacklist

http_access deny am_work nonwork
http_access deny pm_work nonwork

http_access allow nonwork

http_access allow AuthorizedUsers

http_access deny all
http_reply_access allow all
icp_access allow all

=======================

Late night testing last night showed that it worked (of course, I had to change the times to suit the hours I was testing in), but the authentication etc worked well.

Hopefully this helps someone else.

Oh, if I've made any mistakes, feel free to let me know.

I'll be implementing this over the weekend, so I'm sure I'll be made aware if something doesn't work.  ;-)

Cheers,
Dazz