[people/pmueller/ipfire-2.x.git] / config / cfgroot / proxy-acl

# Do not modify '/var/ipfire/proxy/squid.conf' directly since any changes
# you make will be overwritten whenever you resave proxy settings using the
# web interface! Instead, modify the file '/var/ipfire/proxy/acl' and then
# restart squid using the web interface. Changes made to the 'acl' file
# will propagate to the 'squid.conf' file at that time.
# [Scott Tregear, 22 Feb 2005]

# Uncomment the following line to enable logging of User-Agent header:
#useragent_log      /var/log/squid/user_agent.log

# Uncomment the following line to enable logging of Referer header:
#referer_log        /var/log/squid/referer.log

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563 
acl Safe_ports port 80 # http 
acl Safe_ports port 21 # ftp 
acl Safe_ports port 443 563 # https, snews 
acl Safe_ports port 70 # gopher 
acl Safe_ports port 210 # wais 
acl Safe_ports port 1025-65535 # unregistered ports 
acl Safe_ports port 280 # http-mgmt 
acl Safe_ports port 488 # gss-http 
acl Safe_ports port 591 # filemaker 
acl Safe_ports port 777 # multiling http 
acl Safe_ports port __PROXY_PORT__ # Squid port (for icons) 

acl IPCop_http  port 81
acl IPCop_https port 444
acl IPCop_ips  dst __GREEN_IP__ __BLUE_IP__
acl IPCop_networks src __GREEN_NET__ __BLUE_NET__
acl CONNECT method CONNECT 

##Access to squid:
#local machine, no restriction
http_access allow         localhost

#GUI admin if local machine connects
http_access allow         IPCop_ips IPCop_networks IPCop_http
http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https

#Deny not web services
http_access deny          !Safe_ports
http_access deny  CONNECT !SSL_ports

#Finally allow IPCop_networks clients
http_access allow         IPCop_networks
http_access deny          all
Commit	Line	Data
10a04d70 MT	1	# Do not modify '/var/ipfire/proxy/squid.conf' directly since any changes
	2	# you make will be overwritten whenever you resave proxy settings using the
	3	# web interface! Instead, modify the file '/var/ipfire/proxy/acl' and then
	4	# restart squid using the web interface. Changes made to the 'acl' file
	5	# will propagate to the 'squid.conf' file at that time.
	6	# [Scott Tregear, 22 Feb 2005]
	7
	8	# Uncomment the following line to enable logging of User-Agent header:
	9	#useragent_log /var/log/squid/user_agent.log
	10
	11	# Uncomment the following line to enable logging of Referer header:
	12	#referer_log /var/log/squid/referer.log
	13
	14	acl all src 0.0.0.0/0.0.0.0
	15	acl localhost src 127.0.0.1/255.255.255.255
	16	acl SSL_ports port 443 563
	17	acl Safe_ports port 80 # http
	18	acl Safe_ports port 21 # ftp
	19	acl Safe_ports port 443 563 # https, snews
	20	acl Safe_ports port 70 # gopher
	21	acl Safe_ports port 210 # wais
	22	acl Safe_ports port 1025-65535 # unregistered ports
	23	acl Safe_ports port 280 # http-mgmt
	24	acl Safe_ports port 488 # gss-http
	25	acl Safe_ports port 591 # filemaker
	26	acl Safe_ports port 777 # multiling http
	27	acl Safe_ports port __PROXY_PORT__ # Squid port (for icons)
	28
	29	acl IPCop_http port 81
	30	acl IPCop_https port 444
	31	acl IPCop_ips dst __GREEN_IP__ __BLUE_IP__
	32	acl IPCop_networks src __GREEN_NET__ __BLUE_NET__
	33	acl CONNECT method CONNECT
	34
	35	##Access to squid:
	36	#local machine, no restriction
	37	http_access allow localhost
	38
	39	#GUI admin if local machine connects
	40	http_access allow IPCop_ips IPCop_networks IPCop_http
	41	http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https
	42
	43	#Deny not web services
	44	http_access deny !Safe_ports
	45	http_access deny CONNECT !SSL_ports
	46
	47	#Finally allow IPCop_networks clients
	48	http_access allow IPCop_networks
	49	http_access deny all