modifacl

2025-04-07 09:43:25 +02:00 · 2025-04-07 09:43:25 +02:00 · 6968c19b76
commit 6968c19b76
parent 816c3b2825
2 changed files with 9 additions and 175 deletions
--- a/sisr1/automatisation.sh
+++ b/sisr1/automatisation.sh
@ -2,4 +2,4 @@

 files="./etc/crontab

-0 2-3 * * * root scriptsauvegarde.sh
+0 2 * * * /root/scriptsauvegarde.sh
--- a/sisr1/tp05_squid/squid.conf
+++ b/sisr1/tp05_squid/squid.conf
@ -1353,178 +1353,12 @@ acl Safe_ports port 488		# gss-http
 acl Safe_ports port 591		# filemaker
 acl Safe_ports port 777		# multiling http

-acl mots_cles_refuses url_regex -i twitch chatgpt
+# acl mots_cles_refuses url_regex -i twitch chatgpt
+acl mots_cles_refuses url_regex -i youtube discord twitch facebook instagram snapchat
+acl ip_restreintes src 172.16.0.5-172.16.0.99

-#  TAG: proxy_protocol_access
-#	Determine which client proxies can be trusted to provide correct
-#	information regarding real client IP address using PROXY protocol.
-#
-#	Requests may pass through a chain of several other proxies
-#	before reaching us. The original source details may by sent in:
-#		* HTTP message Forwarded header, or
-#		* HTTP message X-Forwarded-For header, or
-#		* PROXY protocol connection header.
-#
-#	This directive is solely for validating new PROXY protocol
-#	connections received from a port flagged with require-proxy-header.
-#	It is checked only once after TCP connection setup.
-#
-#	A deny match results in TCP connection closure.
-#
-#	An allow match is required for Squid to permit the corresponding
-#	TCP connection, before Squid even looks for HTTP request headers.
-#	If there is an allow match, Squid starts using PROXY header information
-#	to determine the source address of the connection for all future ACL
-#	checks, logging, etc.
-#
-#	SECURITY CONSIDERATIONS:
-#
-#		Any host from which we accept client IP details can place
-#		incorrect information in the relevant header, and Squid
-#		will use the incorrect information as if it were the
-#		source address of the request.  This may enable remote
-#		hosts to bypass any access control restrictions that are
-#		based on the client's source addresses.
-#
-#	This clause only supports fast acl types.
-#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
-#Default:
-# all TCP connections to ports with require-proxy-header will be denied
-
-#  TAG: follow_x_forwarded_for
-#	Determine which client proxies can be trusted to provide correct
-#	information regarding real client IP address.
-#
-#	Requests may pass through a chain of several other proxies
-#	before reaching us. The original source details may by sent in:
-#		* HTTP message Forwarded header, or
-#		* HTTP message X-Forwarded-For header, or
-#		* PROXY protocol connection header.
-#
-#	PROXY protocol connections are controlled by the proxy_protocol_access
-#	directive which is checked before this.
-#
-#	If a request reaches us from a source that is allowed by this
-#	directive, then we trust the information it provides regarding
-#	the IP of the client it received from (if any).
-#
-#	For the purpose of ACLs used in this directive the src ACL type always
-#	matches the address we are testing and srcdomain matches its rDNS.
-#
-#	On each HTTP request Squid checks for X-Forwarded-For header fields.
-#	If found the header values are iterated in reverse order and an allow
-#	match is required for Squid to continue on to the next value.
-#	The verification ends when a value receives a deny match, cannot be
-#	tested, or there are no more values to test.
-#	NOTE: Squid does not yet follow the Forwarded HTTP header.
-#
-#	The end result of this process is an IP address that we will
-#	refer to as the indirect client address.  This address may
-#	be treated as the client address for access control, ICAP, delay
-#	pools and logging, depending on the acl_uses_indirect_client,
-#	icap_uses_indirect_client, delay_pool_uses_indirect_client,
-#	log_uses_indirect_client and tproxy_uses_indirect_client options.
-#
-#	This clause only supports fast acl types.
-#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
-#
-#	SECURITY CONSIDERATIONS:
-#
-#		Any host from which we accept client IP details can place
-#		incorrect information in the relevant header, and Squid
-#		will use the incorrect information as if it were the
-#		source address of the request.  This may enable remote
-#		hosts to bypass any access control restrictions that are
-#		based on the client's source addresses.
-#
-#	For example:
-#
-#		acl localhost src 127.0.0.1
-#		acl my_other_proxy srcdomain .proxy.example.com
-#		follow_x_forwarded_for allow localhost
-#		follow_x_forwarded_for allow my_other_proxy
-#Default:
-# X-Forwarded-For header will be ignored.
-
-#  TAG: acl_uses_indirect_client	on|off
-#	Controls whether the indirect client address
-#	(see follow_x_forwarded_for) is used instead of the
-#	direct client address in acl matching.
-#
-#	NOTE: maxconn ACL considers direct TCP links and indirect
-#	      clients will always have zero. So no match.
-#Default:
-# acl_uses_indirect_client on
-
-#  TAG: delay_pool_uses_indirect_client	on|off
-#	Controls whether the indirect client address
-#	(see follow_x_forwarded_for) is used instead of the
-#	direct client address in delay pools.
-#Default:
-# delay_pool_uses_indirect_client on
-
-#  TAG: log_uses_indirect_client	on|off
-#	Controls whether the indirect client address
-#	(see follow_x_forwarded_for) is used instead of the
-#	direct client address in the access log.
-#Default:
-# log_uses_indirect_client on
-
-#  TAG: tproxy_uses_indirect_client	on|off
-#	Controls whether the indirect client address
-#	(see follow_x_forwarded_for) is used instead of the
-#	direct client address when spoofing the outgoing client.
-#
-#	This has no effect on requests arriving in non-tproxy
-#	mode ports.
-#
-#	SECURITY WARNING: Usage of this option is dangerous
-#	and should not be used trivially. Correct configuration
-#	of follow_x_forwarded_for with a limited set of trusted
-#	sources is required to prevent abuse of your proxy.
-#Default:
-# tproxy_uses_indirect_client off
-
-#  TAG: spoof_client_ip
-#	Control client IP address spoofing of TPROXY traffic based on
-#	defined access lists.
-#
-#	spoof_client_ip allow|deny [!]aclname ...
-#
-#	If there are no "spoof_client_ip" lines present, the default
-#	is to "allow" spoofing of any suitable request.
-#
-#	Note that the cache_peer "no-tproxy" option overrides this ACL.
-#
-#	This clause supports fast acl types.
-#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
-#Default:
-# Allow spoofing on all TPROXY traffic.
-
-#  TAG: http_access
-#	Allowing or Denying access based on defined access lists
-#
-#	To allow or deny a message received on an HTTP, HTTPS, or FTP port:
-#	http_access allow|deny [!]aclname ...
-#
-#	NOTE on default values:
-#
-#	If there are no "access" lines present, the default is to deny
-#	the request.
-#
-#	If none of the "access" lines cause a match, the default is the
-#	opposite of the last line in the list.  If the last line was
-#	deny, the default is allow.  Conversely, if the last line
-#	is allow, the default will be deny.  For these reasons, it is a
-#	good idea to have an "deny all" entry at the end of your access
-#	lists to avoid potential confusion.
-#
-#	This clause supports both fast and slow acl types.
-#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
-#
-#Default:
-# Deny, unless rules exist in squid.conf.
-#
+http_access deny ip_restreintes mots_cles_refuses
+http_access allow localnet

 #
 # Recommended minimum Access Permission configuration:
@ -1552,9 +1386,9 @@ include /etc/squid/conf.d/*.conf
 # Example rule allowing access from your local networks.
 # Adapt localnet in the ACL section to list your (internal) IP networks
 # from where browsing should be allowed
-http_access deny mots_cles_refuses
-http_access allow localnet
-http_access allow localhost
+# http_access deny mots_cles_refuses
+# http_access allow localnet
+# http_access allow localhost


 # And finally deny all other access to this proxy