Specifying multiple acl conditions on one acl line of squid.conf

access-control-listsquid

In squid I need to combine acl conditions in one line:
e.g.
acl allowed_conn src 10.40.50.5 && dstdomain intranet.loc
acl allowed_conn src 10.40.50.6 && dstdomain anothersite.net

I know that I could instead define two like so:
acl allow_src src 10.40.50.5
acl allow_domain intranet.loc

And then I could do:
http_access allow allow_src allow_domain
but in this way I will need to create new http_access lines for different acl combinations. I would like to have one http_access line like so:
http_access allow allowed_conn

Best Answer

Unfortunately, the fixed AND/OR logic of Squid's ACL list means that you can only implement an AND condition on the access line, not on the ACL line:

You've probably noticed (and been frustrated by) the fact that you cannot combine access controls with terms like "and" or "or." These operations are already built in to the access control scheme in a fundamental way which you must understand.

All elements of an acl entry are OR'ed together.
All elements of an access entry are AND'ed together

Is there some real reason you can't do it this way?

Related Solutions

Ubuntu 9.10 and Squid 2.7 Transparent Proxy TCP_DENIED

You must tell squid that it is setup as a transparent system

Instead of

http_port 3128

You need

# enable the transparent option for interception caching
http_port 3128 transparent

Using both domain users and local users for Squid authentication

Now, I need a way to allow access to users which don't have a domain account. Can this be done?

Yes.

How?

You can use an "external" ACL helper, which allows you to roll your own mechanism. See the Squid wiki "Multiple Source" entry for more details. This bit of pseudo-code lifted straight from there:

auth_param basic program /usr/local/bin/my-auth.pl
external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization} /usr/local/bin/my-acl.pl
acl MyAcl external myAclType
http_access allow MyAcl

... where my-auth.pl is a bit of perl script that performs the actual authentication, and returns OK or ERR as the result.

Best Answer

Related Solutions

Ubuntu 9.10 and Squid 2.7 Transparent Proxy TCP_DENIED

Using both domain users and local users for Squid authentication

Related Topic