Securing and Managing Blue Network Cache Access with ACLs

I made changes to /var/ipfire/proxy/advanced/acls/include.acl because I needed to implement access restrictions (using Squid) among various servers within the same BLUE network.

It should be noted that a I HAVE a SMART switch can block access between BLUE servers if Squid is not active.

# Opens access GREEN
acl rete_green src
http_access allow IPFire_green_network rete_green

# Urls allowed for image display of IPFire Squid
# = BLU
# .254 = IPFire
acl special_url1 url_regex ipfire.localdomain:800/squid-internal-static/
http_access allow special_url1

acl special_url2 url_regex
http_access allow special_url2

acl special_url3 url_regex
http_access allow special_url3

# Urls allowed for wpad.dat
acl special_url4 url_regex
http_access allow special_url4

acl special_url5 url_regex
http_access allow special_url5

# deny to the IP client network access to IPFire

acl dominio2 dstdomain ipfire.localdomain
http_access deny dominio2

acl dominio3 dstdomain
http_access deny dominio3

acl dominio5 dstdomain
http_access deny dominio5

acl dominio6 dstdomain
http_access deny dominio6

acl dominio7 dstdomain
http_access deny dominio7

It is crucial to follow the RULES SETTING ORDER. If a rule is met, everything that follows is ignored, as this is the underlying logic.

Alternatively, I have configured the same functionality through the graphical interface, as shown in the image. However, it’s important to note that if you disable URL filtering (keeping only the proxy active), the rules won’t be applied. This issue can be resolved by modifying “include.acl.”

Here is a reference image:

I have conducted numerous tests, and it appears that everything is working perfectly. I am open to any suggestions for improving the rules.

Additionally, I have noticed another issue, highlighted in the following image:

Thank you in advance for any advice, and have a great day.

1 Like