[squid-users] Squid ACL per-user basis

From: CASALI COMPUTERS - Michele Brodoloni <m.brodoloni_at_casalicomputers.com>
Date: Thu, 8 Apr 2010 11:11:34 +0200

Hello,
i'm using squid 2.6 Version 2.6.STABLE21 (provided with CentOS 5.x), using NTLM AUTH.
Since I'm able to apply ACLs to Windows Groups, I'm just wondering if I can apply an ACL only to a single user.
Should I need to create a group only for that user and apply an acl to that group or there's a different way?

Thanks

Here's my config (some comments are in italian):
---------------------------------------------
http_port 8080
hierarchy_stoplist cgi-bin ?
cache_mem 4 MB
cache_swap_low 85
cache_swap_high 90
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
auth_param ntlm program /usr/lib64/squid/ntlm_auth DOMAIN/PDC # Hidden for privacy
auth_param basic program /usr/lib64/squid/ntlm_auth DOMAIN/PDC # Hidden for privacy
auth_param basic children 5
auth_param basic realm Squid Access
auth_param basic credentialsttl 2 hours
external_acl_type check-group ttl=0 concurrency=0 %LOGIN /usr/lib64/squid/wbinfo_group.pl
acl all src 0.0.0.0/0.0.0.0
acl lan src 192.168.1.0/255.255.255.0
acl to_lan dst 192.168.1.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?

acl autenticati proxy_auth REQUIRED
acl siti_blacklist url_regex "/etc/squid/blacklist.txt"
acl siti_whitelist url_regex "/etc/squid/whitelist.txt"
acl siti_limitati url_regex "/etc/squid/limitati.txt"
acl titolari external check-group group1
acl dipendenti external check-group group2
acl limitati external check-group group3

# Things never to cache
#no_cache deny QUERY
# Enable this if you don't want any caching
#no_cache deny all

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Permettiamo l'accesso dal computer locale senza restrizioni
http_access allow localhost

# Permettiamo l'accesso dalla rete locale verso tutta la rete
http_access allow to_lan lan
# Permettiamo l'accesso dalla rete locale verso dei siti in whitelist
http_access allow siti_whitelist lan

# Accesso senza restrizioni per i titolari
http_access allow titolari

# I dipendenti possono visitare tutti i siti web ad eccezione
# di quelli listati nel file di blacklist
http_access allow !siti_blacklist dipendenti

# Gli utenti limitati possono accedere solamente ad alcuni siti
http_access allow siti_limitati limitati

# Tutti gli altri accessi sono negati
http_access deny !autenticati
http_access deny all

http_reply_access allow all

acl FTP proto FTP
always_direcache_mgr manager_at_mylan.com
cache_effective_user squid
cache_effective_group squid

# I have very little RAM, so I set this off. YMMV
memory_pools on
forwarded_for on
#error_directory /etc/squid/errors
coredump_dir /var/spool/squid

# note 33,2 lets you see which acl allowed or denied
debug_options ALL,1 33,2ct allow FTP
------------------------------------------------------
Received on Thu Apr 08 2010 - 09:16:44 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 08 2010 - 12:00:03 MDT