SQUID Proxy ACL

  • Vijayd2007
  • Born
  • Born
  • Vijayd2007
  • Posts: 2

Post 3+ Months Ago

Hi,

I m new to Linux & especially SQUID proxy. Recently I have installed Squid 2.6 on my SUSE 9.1 Linux box. I have few queries as listed below :

1) In my network i.e. 10.13.4.0/24 I wan to restrict few IPs to access the internet. The allowed range is 10.13.4.175 to 10.13.4.255. How do I achieve this with SQUID ACL ?

2) These internet accessible IPs should be restricted to download any file which is not exceeding 3Mb in size. If the download size is above 3mb, squid should terminate the download and should log such occurence.

Please tell me the ACL to configure in squid.conf file to achieve this.

Thanks in advance.

Vijay
  • AnarchY SI
  • Web Master
  • Web Master
  • User avatar
  • Posts: 2521
  • Loc: /usr/src/MI

Post 3+ Months Ago

Quote:
Restricting Web Access By IP Address

You can create an access control list that restricts Web access to users on certain networks. In this case, it's an ACL that defines a home network of 192.168.1.0.
Code: [ Select ]
#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/255.255.255.0
  1. #
  2. # Add this to the bottom of the ACL section of squid.conf
  3. #
  4. acl home_network src 192.168.1.0/255.255.255.0


You also have to add a corresponding http_access statement that allows traffic that matches the ACL:
Code: [ Select ]
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow home_network
  1. #
  2. # Add this at the top of the http_access section of squid.conf
  3. #
  4. http_access allow home_network


- http://www.linuxhomenetworking.com/wiki ... trol_Lists

i'm not finding anything about a download file size limit, but maybe someone else could pipe in with some information on that. i did read that you can limit one host or a group of hosts bandwidth by using delay pools. there should be a part of the squid.conf going over delay pools but if youd like to read more about them, go here and start reading about 1/4 the way down the page. theres a section titled delay pools.
  • alias8700
  • Beginner
  • Beginner
  • alias8700
  • Posts: 43

Post 3+ Months Ago

Code: [ Select ]
# TAG: reply_body_max_size    (KB)
#    This option specifies the maximum size of a reply body. It
#    can be used to prevent users from downloading very large files,
#    such as MP3's and movies.  The reply size is checked twice.
#    First when we get the reply headers, we check the
#    content-length value. If the content length value exists and
#    is larger than this parameter, the request is denied and the
#    user receives an error message that says "the request or reply
#    is too large." If there is no content-length, and the reply
#    size exceeds this limit, the client's connection is just closed
#    and they will receive a partial reply.
#
#    NOTE: downstream caches probably cannot detect a partial reply
#    if there is no content-length header, so they will cache
#    partial responses and give them out as hits. You should NOT
#    use this option if you have downstream caches.
#
#    If you set this parameter to zero (the default), there will be
#    no limit imposed.
#
#Default:
# reply_body_max_size 0
  1. # TAG: reply_body_max_size    (KB)
  2. #    This option specifies the maximum size of a reply body. It
  3. #    can be used to prevent users from downloading very large files,
  4. #    such as MP3's and movies.  The reply size is checked twice.
  5. #    First when we get the reply headers, we check the
  6. #    content-length value. If the content length value exists and
  7. #    is larger than this parameter, the request is denied and the
  8. #    user receives an error message that says "the request or reply
  9. #    is too large." If there is no content-length, and the reply
  10. #    size exceeds this limit, the client's connection is just closed
  11. #    and they will receive a partial reply.
  12. #
  13. #    NOTE: downstream caches probably cannot detect a partial reply
  14. #    if there is no content-length header, so they will cache
  15. #    partial responses and give them out as hits. You should NOT
  16. #    use this option if you have downstream caches.
  17. #
  18. #    If you set this parameter to zero (the default), there will be
  19. #    no limit imposed.
  20. #
  21. #Default:
  22. # reply_body_max_size 0
  • Vijayd2007
  • Born
  • Born
  • Vijayd2007
  • Posts: 2

Post 3+ Months Ago

Hi Anarch Y SI,

Thanks for the reply.
If I m not wrong, the ACL statement
acl home_network src 192.168.1.0/255.255.255.0 will allow all host on this subnet to access the internet. My requirement is a range of IP addresses on the network i.e. from .175 to .255 should only be allowed.
Please correct me if I m wrong.
Thanks.

Vijay
  • AnarchY SI
  • Web Master
  • Web Master
  • User avatar
  • Posts: 2521
  • Loc: /usr/src/MI

Post 3+ Months Ago

yes, that is true. but what if you changed the .0 to .175 ..? ;)
  • alias8700
  • Beginner
  • Beginner
  • alias8700
  • Posts: 43

Post 3+ Months Ago

AnarchY SI wrote:
yes, that is true. but what if you changed the .0 to .175 ..? ;)
:lol:

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 11 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.