Re: [squid-users] AD Authentification and Acl ?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 17 May 2005 00:14:12 +0200 (CEST)

On Sun, 15 May 2005, Phibee Network operation Center wrote:

> acl dmz_network src 10.216.1.0/24
> http_access allow dmz_network
>
> acl AllowedADUsers external AD_Group "/etc/squid/allowedntgroups"
> acl Winbind proxy_auth REQUIRED
>
> http_access allow AllowedADUsers
> http_access deny !AllowedADUsers
> http_access deny !Winbind

The Winbind ACL is redundant here.

The above three rules could be replaced by simply

http_access allow AllowedADUsers
http_access deny all

These following four lines should be your first http_access lines.

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The purpose of these lines is to block common abuse of the proxy, and to
block they must go before where you allow users access.

> 1- Actually, when the user are not into a internet group (specified un
> allowedntgroups)
> squid sent a bow for know new login/pass and after he put a "Cache Access
> Denied" page.
>
> Itr's possible that after see that the user are not into a internet group, he
> don't want login/pass
> and put a specific html page or gif with "Access Denied" ?

With the above config this is what you should get.

> and it's possible that user not in good groups don't have a "cache" ? (if the
> admin change
> group, the user are immediatly Ok)

See the negative ttl parameter of external_acl_type.

> 2- I want that the user authentified in "Winbind" but not into a good groups
> can going to
> 2 or 3 site, i have put :
> acl allow_url dstdomain .pagesjaunes.fr phibee.net
> http_access allow allow_url
> but that's don't work ..

In what way doesn't it work?

To more clearly express this you should be using

acl AllUsers proxy_auth REQUIRED
http_access allow AllUsers allow_url

> and one of this site put gif located into another web address ... it's
> possible says "pagesjaunes.fr" + html gift request ?

No.

Well, you could perhaps play some tricks with the referer_regex acl, but
this is inherently insecure as it trusts the client to correctly indicate
which web site the object was linked from. Also, as there is no dstdomain
type acl looking into the referer attribute you have to use regex
patterns.

Regards
Henrik
Received on Mon May 16 2005 - 16:14:20 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:03 MDT