Re: [squid-users] acl auth & time

From: Chris Robertson <crobertson_at_gci.net>
Date: Mon, 26 Oct 2009 16:55:00 -0800

Michael Gargiullo wrote:
> I have a small squid proxy setup and running with basic
> authentication. It works.
>
> However, What I'd ultimately like to have is for three users to be
> blocked from 6am until 5:30pm, while 2 users are not time restricted.
>
> It appears to work, however if one of the three users that do not have
> access during the day, tries to gain access, they are not presented
> with a 'denied' page. They only continue to get the login prompt.
>
> I'm new to squid. Am I missing something obvious?
>
> squid.conf:
>
> visible_hostname coral
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_user
> auth_param basic children 5
> auth_param basic realm Monitored Surfing
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl internal src 192.168.142.0/24
> acl kids proxy_auth bob lisa marc
> acl parents proxy_auth john mike
> acl allu proxy_auth REQUIRED
>
> acl schooltime time M T W H 06:00-17:30
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access allow parents
> http_access deny schooltime kids
>

Change...

http_access deny schooltime kids
 
...to...

http_access deny kids schooltime

...as Squid allows a client to re-authenticate if the deny ends with a
proxy_auth acl.

> http_access allow allu
>
> http_access allow localhost
> http_access deny all
> icp_access allow all
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid/access.log common
> logfile_rotate 9
> log_fqdn on
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> coredump_dir /var/spool/squid
>
> --
> Michael Gargiullo
> Chief
> East Windsor Township Rescue Squad, District 1
>

Chris
Received on Tue Oct 27 2009 - 00:55:20 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 27 2009 - 12:00:03 MDT