由 邓奕文 在 11-20-2003 15:22 发表:
squid问题
怎么控制上网?例如:让192.168.0.1上网,而192.168.0.2不让上网,那么squid应该去怎么设置?谢谢.
由 wallace888 在 11-20-2003 16:08 发表:
用acl的命令来控制啊!例如编辑squid.conf
acl baduser src 192.168.0.2
acl our_networks src 192.168.0.0/24
http_access deny baduser
http_access allow our_networks
这样192.168.0.2就不可以上网了!
由 邓奕文 在 11-21-2003 08:10 发表:
ACCESS CONTROLS
-----------------------------------------------------------------------------
TAG: acl
Defining an Access List
acl aclname acltype string1 ...
acl aclname acltype "file" ...
when using "file", the file should contain one item per line
acltype is one of the types described below
By default, regular expressions are CASE-SENSITIVE. To make
them case-insensitive, use the -i option.
acl aclname src addr1-addr2/netmask ... (range of addresses)
acl aclname dst ip-address/netmask ... (URL host's IP address)
acl aclname myip ip-address/netmask ... (local socket IP address)
acl aclname srcdomain .foo.com ... # reverse lookup, client IP
acl aclname dstdomain .foo.com ... # Destination server from URL
acl aclname srcdom_regex [-i] xxx ... # regex matching client name
acl aclname dstdom_regex [-i] xxx ... # regex matching server
# For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# based URL is used. The name "none" is used if the reverse lookup
# fails.
acl aclname time [day-abbrevs] [h1:m1-h2:m2]
day-abbrevs:
S - Sunday
M - Monday
T - Tuesday
W - Wednesday
H - Thursday
F - Friday
A - Saturday
h1:m1 must be less than h2:m2
acl aclname url_regex [-i] ^ http:// ... # regex matching on whole URL
acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
acl aclname port 80 70 21 ...
acl aclname port 0-1024 ... # ranges allowed
acl aclname myport 3128 ... # (local socket TCP port)
acl aclname proto HTTP FTP ...
acl aclname method GET POST ...
acl aclname browser [-i] regexp ...
# pattern match on User-Agent header
acl aclname referer_regex [-i] regexp ...
# pattern match on Referer header
# Referer is highly unreliable, so use with care
acl aclname ident username ...
acl aclname ident_regex [-i] pattern ...
# string match on ident output.
# use REQUIRED to accept any non-null ident.
acl aclname src_as number ...
acl aclname dst_as number ...
# Except for access control, AS numbers can be used for
# routing of requests to specific caches. Here's an
# example for routing all requests for AS#1241 and only
# those to mycache.mydomain.net:
# acl asexample dst_as 1241
# cache_peer_access mycache.mydomain.net allow asexample
# cache_peer_access mycache_mydomain.net deny all
acl aclname proxy_auth username ...
acl aclname proxy_auth_regex [-i] pattern ...
# list of valid usernames
# use REQUIRED to accept any valid username.
# NOTE: when a Proxy-Authentication header is sent but it is not
# needed during ACL checking the username is NOT logged
# in access.log.
# NOTE: proxy_auth requires a EXTERNAL authentication program
# to check username/password combinations (see
# authenticate_program).
# WARNING: proxy_auth can't be used in a transparent proxy. It
# collides with any authentication done by origin servers. It may
# seem like it works at first, but it doesn't.
acl aclname snmp_community string ...
# A community string to limit access to your SNMP Agent
# Example:
# acl snmppublic snmp_community public
acl aclname maxconn number
# This will be matched when the client's IP address has
# more than
1<number> HTTP connections established.
2
3#
4
5# acl aclname max_user_ip [-s] number
6
7# # This will be matched when the user attempts to log in from more
8
9# # than <number> different ip addresses. The authenticate_ip_ttl
10
11# # parameter controls the timeout on the ip entries.
12
13# # If -s is specified then the limit is strict, denying browsing
14
15# # from any further IP addresses until the ttl has expired. Without
16
17# # -s Squid will just annoy the user by "randomly" denying requests.
18
19# # (the counter is then reset each time the limit is reached and a
20
21# # request is denied)
22
23# # NOTE: in acceleration mode or where there is mesh of child proxies,
24
25# # clients may appear to come from multiple addresses if they are
26
27# # going through proxy farms, so a limit of 1 may cause user problems.
28
29#
30
31# acl aclname req_mime_type mime-type1 ...
32
33# # regex match agains the mime type of the request generated
34
35# # by the client. Can be used to detect file upload or some
36
37# # types HTTP tunelling requests.
38
39# # NOTE: This does NOT match the reply. You cannot use this
40
41# # to match the returned file type.
42
43#
44
45# acl aclname rep_mime_type mime-type1 ...
46
47# # regex match against the mime type of the reply recieved by
48
49# # squid. Can be used to detect file download or some
50
51# # types HTTP tunelling requests.
52
53# # NOTE: This has no effect in http_access rules. It only has
54
55# # effect in rules that affect the reply data stream such as
56
57# # http_reply_access.
58
59#
60
61# acl acl_name external class_name [arguments...]
62
63# # external ACL lookup via a helper class defined by the
64
65# # external_acl_type directive.
66
67#
68
69#Examples:
70
71#acl myexample dst_as 1241
72
73#acl password proxy_auth REQUIRED
74
75#acl fileupload req_mime_type -i ^multipart/form-data$
76
77#acl javascript rep_mime_type -i ^application/x-javascript$
78
79#
80
81#Recommended minimum configuration:
82
83acl all src 0.0.0.0/0.0.0.0
84
85acl manager proto cache_object
86
87acl localhost src 127.0.0.1/255.255.255.255
88
89acl to_localhost dst 127.0.0.0/8
90
91acl my_network src 192.168.0.0/24
92
93#acl dyw src 192.168.0.2/24
94
95acl SSL_ports port 443 563
96
97acl Safe_ports port 80 # http
98
99acl Safe_ports port 21 # ftp
100
101acl Safe_ports port 443 563 # https, snews
102
103acl Safe_ports port 70 # gopher
104
105acl Safe_ports port 210 # wais
106
107acl Safe_ports port 1025-65535 # unregistered ports
108
109acl Safe_ports port 280 # http-mgmt
110
111acl Safe_ports port 488 # gss-http
112
113acl Safe_ports port 591 # filemaker
114
115acl Safe_ports port 777 # multiling http
116
117acl CONNECT method CONNECT
118
119
120
121# TAG: http_access
122
123# Allowing or Denying access based on defined access lists
124
125#
126
127# Access to the HTTP port:
128
129# http_access allow|deny [!]aclname ...
130
131#
132
133# NOTE on default values:
134
135#
136
137# If there are no "access" lines present, the default is to deny
138
139# the request.
140
141#
142
143# If none of the "access" lines cause a match, the default is the
144
145# opposite of the last line in the list. If the last line was
146
147# deny, then the default is allow. Conversely, if the last line
148
149# is allow, the default will be deny. For these reasons, it is a
150
151# good idea to have an "deny all" or "allow all" entry at the end
152
153# of your access lists to avoid potential confusion.
154
155#
156
157#Default:
158
159#
160
161#Recommended minimum configuration:
162
163#
164
165# Only allow cachemgr access from localhost
166
167http_access allow manager localhost
168
169http_access deny manager
170
171# Deny requests to unknown ports
172
173http_access deny !Safe_ports
174
175# Deny CONNECT to other than SSL ports
176
177http_access deny CONNECT !SSL_ports
178
179http_access deny dyw
180
181http_access allow my_network
182
183#
184
185# We strongly recommend to uncomment the following to protect innocent
186
187# web applications running on the proxy server who think that the only
188
189# one who can access services on "localhost" is a local user
190
191#http_access deny to_localhost
192
193#
194
195# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
196
197
198
199# Exampe rule allowing access from your local networks. Adapt
200
201# to list your (internal) IP networks from where browsing should
202
203# be allowed
204
205#acl our_networks src 192.168.1.0/24 192.168.2.0/24
206
207#http_access allow our_networks
208
209
210
211# And finally deny all other access to this proxy
212
213http_access allow localhost
214
215http_access deny all
216
217
218
219
220* * *
221
222
223_由 邓奕文 在 11-21-2003 08:16 发表:_
224
225
226
227****
228
229
230
231
232
233以上的目的是不让192.168.0.2上网,其它都可以,上面的贴子不知道什么地方出了问题,控制不了192.168.0.2上网,谢谢大家的相互!(acl dyw src 192.168.0.2/24前面的#号贴错了,原是没有的)
234
235
236
237
238* * *
239
240
241_由 邓奕文 在 11-21-2003 14:46 发表:_
242
243
244
245****
246
247
248
249
250
251哎,在里面想求一点儿东西,好难,好难...啊!
252
253
254
255
256* * *
257
258
259_由 邓奕文 在 11-22-2003 08:42 发表:_
260
261
262
263****
264
265
266
267
268
269以上的目的是不让192.168.0.2上网,其它都可以,上面的贴子不知道什么地方出了问题,控制不了192.168.0.2上网,谢谢大家的相互!(acl dyw src 192.168.0.2/24前面的#号贴错了,原是没有的)
270
271ACCESS CONTROLS
272
273# -----------------------------------------------------------------------------
274
275
276
277# TAG: acl
278
279# Defining an Access List
280
281#
282
283# acl aclname acltype string1 ...
284
285# acl aclname acltype "file" ...
286
287#
288
289# when using "file", the file should contain one item per line
290
291#
292
293# acltype is one of the types described below
294
295#
296
297# By default, regular expressions are CASE-SENSITIVE. To make
298
299# them case-insensitive, use the -i option.
300
301#
302
303# acl aclname src addr1-addr2/netmask ... (range of addresses)
304
305# acl aclname dst ip-address/netmask ... (URL host's IP address)
306
307# acl aclname myip ip-address/netmask ... (local socket IP address)
308
309#
310
311# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
312
313# acl aclname dstdomain .foo.com ... # Destination server from URL
314
315# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
316
317# acl aclname dstdom_regex [-i] xxx ... # regex matching server
318
319# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
320
321# # based URL is used. The name "none" is used if the reverse lookup
322
323# # fails.
324
325#
326
327# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
328
329# day-abbrevs:
330
331# S - Sunday
332
333# M - Monday
334
335# T - Tuesday
336
337# W - Wednesday
338
339# H - Thursday
340
341# F - Friday
342
343# A - Saturday
344
345# h1:m1 must be less than h2:m2
346
347# acl aclname url_regex [-i] ^ http:// ... # regex matching on whole URL
348
349# acl aclname urlpath_regex [-i] \\.gif$ ... # regex matching on URL path
350
351# acl aclname port 80 70 21 ...
352
353# acl aclname port 0-1024 ... # ranges allowed
354
355# acl aclname myport 3128 ... # (local socket TCP port)
356
357# acl aclname proto HTTP FTP ...
358
359# acl aclname method GET POST ...
360
361# acl aclname browser [-i] regexp ...
362
363# # pattern match on User-Agent header
364
365# acl aclname referer_regex [-i] regexp ...
366
367# # pattern match on Referer header
368
369# # Referer is highly unreliable, so use with care
370
371# acl aclname ident username ...
372
373# acl aclname ident_regex [-i] pattern ...
374
375# # string match on ident output.
376
377# # use REQUIRED to accept any non-null ident.
378
379# acl aclname src_as number ...
380
381# acl aclname dst_as number ...
382
383# # Except for access control, AS numbers can be used for
384
385# # routing of requests to specific caches. Here's an
386
387# # example for routing all requests for AS#1241 and only
388
389# # those to mycache.mydomain.net:
390
391# # acl asexample dst_as 1241
392
393# # cache_peer_access mycache.mydomain.net allow asexample
394
395# # cache_peer_access mycache_mydomain.net deny all
396
397#
398
399# acl aclname proxy_auth username ...
400
401# acl aclname proxy_auth_regex [-i] pattern ...
402
403# # list of valid usernames
404
405# # use REQUIRED to accept any valid username.
406
407# #
408
409# # NOTE: when a Proxy-Authentication header is sent but it is not
410
411# # needed during ACL checking the username is NOT logged
412
413# # in access.log.
414
415# #
416
417# # NOTE: proxy_auth requires a EXTERNAL authentication program
418
419# # to check username/password combinations (see
420
421# # authenticate_program).
422
423# #
424
425# # WARNING: proxy_auth can't be used in a transparent proxy. It
426
427# # collides with any authentication done by origin servers. It may
428
429# # seem like it works at first, but it doesn't.
430
431#
432
433# acl aclname snmp_community string ...
434
435# # A community string to limit access to your SNMP Agent
436
437# # Example:
438
439# #
440
441# # acl snmppublic snmp_community public
442
443#
444
445# acl aclname maxconn number
446
447# # This will be matched when the client's IP address has
448
449# # more than <number> HTTP connections established.
450
451#
452
453# acl aclname max_user_ip [-s] number
454
455# # This will be matched when the user attempts to log in from more
456
457# # than <number> different ip addresses. The authenticate_ip_ttl
458
459# # parameter controls the timeout on the ip entries.
460
461# # If -s is specified then the limit is strict, denying browsing
462
463# # from any further IP addresses until the ttl has expired. Without
464
465# # -s Squid will just annoy the user by "randomly" denying requests.
466
467# # (the counter is then reset each time the limit is reached and a
468
469# # request is denied)
470
471# # NOTE: in acceleration mode or where there is mesh of child proxies,
472
473# # clients may appear to come from multiple addresses if they are
474
475#</number></number></number></number>