这段时间网络重新规划了,Squid的配置acl越来越复杂了,所以也就越来越臃肿了,以免忘记,把目前的ACL配置贴上来!
######### marco.chan_acl acl control rule ##############
# define download files extension
acl disable_extension urlpath_regex -i \.mp3$ \.avi$ \.rmvb$ \.rm$ \.ra$ \.ram$ \.mpe$ \.smi$ \.mpeg$ \.wmv$ \.wma$ \.3gp$ \.td$ \.td.cfg$ \.torrent$ \.flv$ \.vbs$# define disable site dstdomain files.
acl disable_site dstdomain /usr/local/squid/var/acl_dir/deny_site.txt# define disable ip for domain file
acl disable_ip src /usr/local/squid/var/acl_dir/disable_src_ip.txt# define all connect time
#acl office_times time S 00:01-23:59
acl office_times time MTWHFAS 00:00-8:00
acl office_times time MTWHFAS 18:30:01-23:59# define office_times_host
acl office_hosts src /usr/local/squid/var/acl_dir/office_hosts.txt#define snmp acl
acl snmp_public snmp_community public
acl cacti src 10.0.0.252/32#### define only enable http service
acl allow_service_http src /usr/local/squid/var/acl_dir/allow_http_lists.txt
acl msn_server_ip dst /usr/local/squid/var/acl_dir/msn_server_ip.txt### define only enable msn service
acl msn_client src /usr/local/squid/var/acl_dir/allow_msn_lists.txt# define enable dst_domain files
acl allow_dstdomain_all dstdomain /usr/local/squid/var/acl_dir/allow_site_all.txt
acl allow_dst_all dst /usr/local/squid/var/acl_dir/allow_dst_all.txt# define allow site for human , finance , sales , ciq site
acl allow_ciq1 dstdomain /usr/local/squid/var/acl_dir/allow_site_ciq.txt
acl allow_ciq2 src /usr/local/squid/var/acl_dir/ip_ciq.txtacl allow_human1 dstdomain /usr/local/squid/var/acl_dir/allow_site_human.txt
acl allow_human2 src /usr/local/squid/var/acl_dir/ip_human.txt
acl allow_human_dst dst /usr/local/squid/var/acl_dir/allow_dst_human.txtacl allow_finance1 dstdomain /usr/local/squid/var/acl_dir/allow_site_finance.txt
acl allow_finance2 src /usr/local/squid/var/acl_dir/ip_finance.txt
acl allow_finance_dst dst /usr/local/squid/var/acl_dir/allow_dst_finance.txtacl allow_sales1 dstdomain /usr/local/squid/var/acl_dir/allow_site_sales.txt
acl allow_sales2 src /usr/local/squid/var/acl_dir/ip_sales.txt# define src allow_ipaddress files
acl enable_ipaddress src /usr/local/squid/var/acl_dir/allow_src_ip.txt# define vlan area.
# vlan11 1f workshop
# vlan12 1f office
# vlan13 2f workshop
# vlan15 2f office
# vlan16 3f officeacl vlan10 src 192.168.10.0/28
#acl vlan11 src 192.168.11.0/24
acl vlan12 src 192.168.12.0/27
acl vlan13 src 192.168.13.0/24
acl vlan15 src 192.168.15.0/26
acl vlan16 src 192.168.16.0/27
acl vlan17 src 192.168.17.0/26# test IP
#acl mis_ip src 192.168.16.88/32#
#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network#
acl port_http port 80 443
acl port_msn port 1863 7001acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopher
acl Safe_ports port 21 # ftp
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# marco.chan# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname …
#
# NOTE on default values:
#
# If there are no access lines present, the default is to deny
# the request.
#
# If none of the access lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an deny all or allow all entry at the end
# of your access lists to avoid potential confusion.
#
#Default:################ marco.chan_http_access allow or deny ##############
http_access allow allow_dstdomain_all
http_access allow allow_dst_allhttp_access deny disable_site
http_access deny disable_extension
http_access deny disable_ip
#http_access deny vlan11
http_access deny vlan13
http_access deny office_times office_hostshttp_access allow msn_client port_msn
http_access allow msn_client msn_server_iphttp_access deny allow_service_http port_msn
http_access deny allow_service_http msn_server_ip
http_access allow allow_service_http port_httphttp_access allow allow_finance2 allow_finance1
http_access allow allow_finance2 allow_finance_dsthttp_access allow allow_ciq2 allow_ciq1
http_access allow allow_human2 allow_human1
http_access allow allow_human2 allow_human_dsthttp_access allow allow_sales2 allow_sales1
http_access allow vlan10
http_access allow vlan12
http_access allow vlan15
http_access allow vlan16
http_access allow vlan17
http_access deny all#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on localhost is a local user
#http_access deny to_localhost
#
# Insert YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet# And finally deny all other access to this proxy
http_access deny all
#################### chan# http_access end # marco ######################
转载请注明出处:麦麦的不老阁 » 《Squid acl 实录》
您可能感兴趣的相关日志
Leave a comment