Re: [squid-users] NTLM filtering single user from Luca Dell'Oca on 2008-05-14 (squid-users)

From: Luca Dell'Oca <ldelloca_at_arkam.it>
Date: Wed, 14 May 2008 23:53:08 +0200

On 5/13/08 4:00 PM, "Amos Jeffries" <squid3_at_treenet.co.nz> wrote:

>>
>> acl Java browser Java/1.4 Java/1.5
>> http_access allow Java
>
> Ah, bingo. great big security hole.
> Anyone claiming to be Java now gets unlimited web browsing. And I do
> mean ANYONE, anywhere on the net.

I've said I am a newbie :-) So, how should I write this one? I found the
example on the internet and tought it would be right.

>> http_access allow localhost
>> http_access deny blockcache AuthUser
>> http_access allow allowedurls AuthUser
>> acl lunchbreak time D 13:00-14:00
>> acl lunchbreaksites dstdomain "/etc/squid/lunchbreaksites"
>> http_access allow lunchbreak lunchbreaksites
>>
> So far it looks okay. Those are all everyone-or-nobody right?

Exactly, we have caching sites like google and yahoo in "blockcache" file
and sites everyone can see in "allowedurls". Same for "lunchbreaksites",
everyone during this period can see those sites.

>> # User by user ACL:
>>
>> acl administrator proxy_auth REQUIRED
>> acl assistenza proxy_auth REQUIRED
>
> Here is where the problems start.
> 'REQUIRED' means only that the person MUST login. Squid does not care
> what the username/password is, just that it authenticates.
>
> To get specific user having access to a specific site you need to list
> the username in the acl. Like so:
>
> acl administrator proxy_auth admin Administrator
> acl assistent proxy_auth john
>
> For small sites or sort lists its usable.
> For larger sites or ones where you want a better control than manually
> typing each out. external_acl_type is you friend.
>
> An external ACL script can take the %LOGIN and %DST etc and lookup a
> database of who and where they are allowed. The result can be used in
> one place to allow/deny.
> http://www.squid-cache.org/Versions/v2/2.6/cfgman/external_acl_type.html
>
> external_acl_type blah .....
> acl foo external blah
> http_access allow foo
> http_access deny all

Thanks so much for the hint, I will try on Monday when I'll be back to
office. Right now I think we will use the internal list in squid.conf, since
we have not so many users, but I'll try also the sexternal_acl, so I can
learn something for the future!!!

I will let you know about the tests.

Luca.

application/pkcs7-signature attachment: stored

Received on Wed May 14 2008 - 21:53:13 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT