[SOLVED] Source-based remote ACLs

[maltalef]

Good day,

I need a solution to this example, that I've not been able to find in the Web Proxy GUI page:

There's two groups of IPs, one can access social media sites and the other cannot. They both cannot access adult sites.

The only way I've found of doing it is to apply the remote ACL to ALL the IPs, but that's not what I'm looking for. I need a finer degree of control over whom are ACLs applied to.

Thanks in advance for your answer.

[Cuffs]

Hi

I use custom configfiles in /usr/local/etc/squid/pre-auth to control which machine is allowed what.
eg. my TV is allowed Netflix, but not some survey sites etc.

# ACL to define the source IP
acl nas src 10.0.0.1

# Allowed addresses (this could also point to a file i think)
acl nas_allow ssl::server_name raw.githubusercontent.com .snapcraft.io .ubuntu.com
acl nas_allow_80 dstdomain raw.githubusercontent.com .snapcraft.io .ubuntu.com

# this denies an IP address in the URL after the first ssl bump - that (for me) was tricky to figure out
acl nas_deny ssl::server_name_regex [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}

# allow access to lists, deny everything else
http_access allow nas nas_allow
http_access allow nas nas_allow_80
http_access deny nas !nas_deny

br
Christian

[maltalef]

Is there any way to do that from the Web GUI? From what I've found, my conclusion has been that you cannot, but maybe there's something I'm missing.

[Cuffs]

I didn't find one, no.

The only way via GUI seems to be User authentication, but then everyone has to enter credentials all the time.

But it isn't THAT hard. I figured it out and I'm not a squid/firewall expert.

Try the code above with one source ip.
I think you have what you need.
Use tail -f /var/log/squid/access.log to look whats happening

[maltalef]

Thank you very much!