HOME Downloads Documentation Development Blacklists Contributions Contact

  squidGuard - Source ACLs

  1. Introduction

    Whenever the configuration comes to creating profiles for different access types defining sources ACLs is what need to do.
    Before you start configuring squidGuard make a plan how you distinguish between the users and their access rights: will you use authentication, grant access by IP or IP range and/or by the time of the day. For each group you can define your own set of access control.

  2. Planing the access groups

    Check with the security requirements and set up a role matrix.
    For example: Lets say your security says no access to tracker and spyware sites for all. Additionally during the normal working hours people shall not access sites with online games, online banking, online shopping and webtv or webradio. Yet you have a research group that needs nearly unlimited access except what is demanded by the security policy. You have several apprentices not yet come to age so that they must not access porn sites by law. Yet they need access to the Internet to do their work. To keep the working moral high the people may have the opportunity to access basically harmless sites offering games or shopping around lunch time and after the main business hours. Your financial department needs access to online banking which none of the other user should have. Additionally the financial department does not want to be bothered with user authentication.

    So your access matrix may look like this:

    user or groupallowed sitesdenied sitesauthenticatedip rangetime
    all spyware, tracking, banking, webtv, webradionot necessary 0-24h
    researchallspyware, trackingrequired 0-24h
    minors porn, spyware, tracking, banking, webtv, webradiorequired 0-24h
    allgames, shopping not necessary 0-8h, 12h-13h, 17-24h
    financebanking not necessary10.1.2.3-

  3. Creating the source ACLs

    Lets continue with our example and define the source ACLs for squidGuard according to the above access matrix. SquidGuard has the following tags for the definitions:

    user Used to define single usernames. You can specify several usernames (space separated). The users must be authenticated by squid first to make this work.
    userlist Used to define a filename relative to "dbhome" that holds the user names. For a large set of user this is preferred over using the "user" tag.
    ldapusersearch Used to define a ldap query in order to extract a user name from an LDAP server (or an Active Directory).
    userquery Used to define a select statement to retreive a username from a mysql database.
    execuserlist Used to specifies a command to run that will write a list of usernames on stdout.
    ip Used to define single IP addresses or IP network ranges. You can specify multiple IP address or IP address by comma separating them.
    iplist Used to define a filename relative to "dbhome" that holds the ip addresses and ip address ranges. For a large set of ip addresses and ranges this is preferred over using the "ip" tag.

    Some more information can be found on the pages about authentication and time declarations.

    Each source and each time ACL must be given a unique name which is used in the final access definition. Our access matrix can be expressed by the following source and time ACLs:

    Example for source and time ACLs:
    time nonworkhours {
    weekly * 00:00-8:00    #Before work
    weekly * 12:00-13:00   #Lunch time
    weekly * 17:00-24:00   #After work
    src finance {
    src research {
       user peter anton karl susan mira claus freddy antonia
    src minor {
       userlist minorapprentices

    The access for each group is define with the acl tag:

    Multiple redirect rules in the configuration:
    acl {
        research {
           pass !spyware !tracker all
           redirect http://www.foo.bar/researchblocked.html
        minor within nonworkhours {
           pass !porn !spyware !tracker !banking !webtv !webradio !banking all
        } else {
           pass !porn !spyware !tracker !banking !webtv !webradio !shopping !banking !games all
        finance within nonworkhours {
           pass !spyware !tracker !webtv !webradio all
        } else {
           pass !spyware !tracker !webtv !webradio !shopping !games all
        default {
           pass !spyware !tracker !banking !webtv !webradio all
           redirect http://www.foo.bar/defaultblocked.html

 Getting started
 Destination ACLs
 Source ACLs
 Redirect Rule
 Time Constraints
 Regular Expressions

Runtime Options
About blocking
Known Issues
Other Sources

  © Powered by Shalla Secure Services KG 2007-2012