Luca Dell'Oca wrote:
> Hi all,
> First of all sorry if I'm asking something obvious, I'm a really squid
> newbie.
> I've set up a squid proxy on a CentOS 5.1 server, with winbind
> authenticating in a Windows 2003 ADS. Squid version is 2.6 stable 6.
>
> Squid is working nice with a minimun set of rules, but now we want to allow
> only certain sites to every single user. I've tried some acls mixing infos
> and examples we founded around, but they do not work, both user tested get
> same sites blocked or allowed.
> What we would is every user has its own list of allowed sites, some sites
> allowed for everyones, and another list of sites allowed for everybody only
> during lunch break.
>
> Thanks!
>
> This is our squid.conf (relevant parts):
> ---------------------------------------------------------------
> # ACL for ADS authentication
> acl AuthUser proxy_auth REQUIRED
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl local_lan src 192.168.1.0/255.255.255.0
>
> acl CONNECT method CONNECT
> acl QUERY urlpath_regex cgi-bin \?
>
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to unknown ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
>
> acl Java browser Java/1.4 Java/1.5
> http_access allow Java
Ah, bingo. great big security hole.
Anyone claiming to be Java now gets unlimited web browsing. And I do
mean ANYONE, anywhere on the net.
>
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> ----------------------------------------------------------------------------
>
> # Allowed sites for everyone, in this file:
> acl allowedurls dstdomain "/etc/squid/allowedurls"
>
> # Avoid cheating using search engines caches:
> acl blockcache url_regex -i "/etc/squid/blockcache"
>
> http_access allow localhost
> http_access deny blockcache AuthUser
> http_access allow allowedurls AuthUser
> acl lunchbreak time D 13:00-14:00
> acl lunchbreaksites dstdomain "/etc/squid/lunchbreaksites"
> http_access allow lunchbreak lunchbreaksites
>
So far it looks okay. Those are all everyone-or-nobody right?
> # User by user ACL:
>
> acl administrator proxy_auth REQUIRED
> acl assistenza proxy_auth REQUIRED
Here is where the problems start.
'REQUIRED' means only that the person MUST login. Squid does not care
what the username/password is, just that it authenticates.
To get specific user having access to a specific site you need to list
the username in the acl. Like so:
acl administrator proxy_auth admin Administrator
acl assistent proxy_auth john
For small sites or sort lists its usable.
For larger sites or ones where you want a better control than manually
typing each out. external_acl_type is you friend.
An external ACL script can take the %LOGIN and %DST etc and lookup a
database of who and where they are allowed. The result can be used in
one place to allow/deny.
http://www.squid-cache.org/Versions/v2/2.6/cfgman/external_acl_type.html
external_acl_type blah .....
acl foo external blah
http_access allow foo
http_access deny all
>
> acl Microsoft dstdomain .microsoft.com .microsoft.it
>
> http_access deny Microsoft administrator
> http_access deny administrator
> http_access allow Microsoft assistenza
> http_access deny assistenza
>
> # Final rules:
>
> http_access deny all
> http_reply_access allow all
> acl FTP proto FTP
> always_direct allow FTP
>
> #--------------------------------------------------------
> # note 33,2 lets you see which acl allowed or denied
> debug_options ALL,1 33,2
>
>
-- Please use Squid 2.6.STABLE20 or 3.0.STABLE5Received on Tue May 13 2008 - 14:00:24 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT