Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
[SOLVED] Source-based remote ACLs
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Source-based remote ACLs (Read 3051 times)
maltalef
Newbie
Posts: 3
Karma: 0
[SOLVED] Source-based remote ACLs
«
on:
February 24, 2021, 08:49:18 pm »
Good day,
I need a solution to this example, that I've not been able to find in the Web Proxy GUI page:
There's two groups of IPs, one can access social media sites and the other cannot. They both cannot access adult sites.
The only way I've found of doing it is to apply the remote ACL to
ALL
the IPs, but that's not what I'm looking for. I need a finer degree of control over whom are ACLs applied to.
Thanks in advance for your answer.
«
Last Edit: February 26, 2021, 09:40:06 pm by maltalef
»
Logged
Cuffs
Newbie
Posts: 20
Karma: 2
Re: Source-based remote ACLs
«
Reply #1 on:
February 25, 2021, 09:46:52 pm »
Hi
I use custom configfiles in /usr/local/etc/squid/pre-auth to control which machine is allowed what.
eg. my TV is allowed Netflix, but not some survey sites etc.
# ACL to define the source IP
acl nas src 10.0.0.1
# Allowed addresses (this could also point to a file i think)
acl nas_allow ssl::server_name raw.githubusercontent.com .snapcraft.io .ubuntu.com
acl nas_allow_80 dstdomain raw.githubusercontent.com .snapcraft.io .ubuntu.com
# this denies an IP address in the URL after the first ssl bump - that (for me) was tricky to figure out
acl nas_deny ssl::server_name_regex [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
# allow access to lists, deny everything else
http_access allow nas nas_allow
http_access allow nas nas_allow_80
http_access deny nas !nas_deny
br
Christian
Logged
maltalef
Newbie
Posts: 3
Karma: 0
Re: Source-based remote ACLs
«
Reply #2 on:
February 26, 2021, 12:08:39 am »
Is there any way to do that from the Web GUI? From what I've found, my conclusion has been that you cannot, but maybe there's something I'm missing.
Logged
Cuffs
Newbie
Posts: 20
Karma: 2
Re: Source-based remote ACLs
«
Reply #3 on:
February 26, 2021, 09:05:22 pm »
I didn‘t find one, no.
The only way via GUI seems to be User authentication, but then everyone has to enter credentials all the time.
But it isn‘t THAT hard. I figured it out and I‘m not a squid/firewall expert.
Try the code above with one source ip.
I think you have what you need.
Use tail -f /var/log/squid/access.log to look whats happening
Logged
maltalef
Newbie
Posts: 3
Karma: 0
Re: Source-based remote ACLs
«
Reply #4 on:
February 26, 2021, 09:39:06 pm »
Thank you very much!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
[SOLVED] Source-based remote ACLs