Re: Access Control question

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 06 Oct 1998 00:27:27 +0200

Finbarr O'Kane (Sysadmin) wrote:

> This is fine, but what we are hoping to do is to not only restrict by
> requiring a username/password, but to also restrict by the hostname that
> a current user is requesting proxied http from

> user joebloggs , logs onto 'itchy', and sets up his proxies as usual,
> authenticates and everything is fine.
>
> if he then proceeds the log onto 'scratchy' then squid still lets him
> through since he has provided a valid username and password.

Sorry. I do not understand what you are talking about here.

Proxy username & password are cached by the browser, not by Squid. If
the user starts another browser then he has to authenticate again unless
he has provided his username+password to his browser by some other means
than manual authentication.

> If anyone has any suggestions on how to perhaps restrict this on both
> levels then I would be most appreciative.
>
> If moving to squid-2.0 is required, then so be it :)

With Squid 2.0 detailed access restrictions are possible, but it
requires a large amounts of ACL lists.

acl host_scratchy src scratchy
acl host_itchy src itchy
acl user_joebloggs user joebloggs
acl user_finbarr user finbarr

# Allow joebloggs from itchy
http_access allow user_joebloggs host_itchy
# Allow finbarr from scratchy
http_access allow user_finbarr host_scratchy

---
Henrik Nordström
Sparetime Squid Hacker
Received on Mon Oct 05 1998 - 22:01:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:42:20 MST