topic Re: Squid configuration in Operating System - Linux

Squid configuration

Jerome Henry — Mon, 14 Jul 2003 12:31:02 GMT

Hi everyone,

Few questions today, here's one :

I'm setting up a squid proxy, for about 300 machines network, all mixed Unix all kinds and windows all versions.

I want to creat 3 kinds of users :
- user A : can freely access all the web ;
- user B : can access only some sites, I'll define in access list ;
- user C : can't access the web.

I know how to set up access list, I guess how to set up ncsa_auth, but I'm stuck on how to make people identify themselves, and then use this identification to apply the required access list.

Any idea ? Maybe this ident stuff (but how does it work) ?

Tks

J

Re: Squid configuration

Balaji N — Mon, 14 Jul 2003 13:12:18 GMT

hi

i am not sure if i understood ur question correctly. i had implemented squid for someone sometime back and this is what i remember.

1. use three different files containing the list of users for different category.

2. first use the http_deny for the user C

3. then http_allow for user B with site list

4. then http_allow for user A

since squid reads the acl from top to bottom, it will server your purpose.

did i get u right.
-balaji

Re: Squid configuration

Jerome Henry — Mon, 14 Jul 2003 13:21:30 GMT

Could you detail a little more ? Some kid of example ACL ? How do I use your files ?

Hey, you're about to be Lnx Wzd too soon ! Maybe today (my time) : don't sleep tonight when on US daylight time !

J

Re: Squid configuration

Balaji N — Mon, 14 Jul 2003 14:46:10 GMT

give me some time. need to read thru the man pages before i comment. may be if not tonight, tomorrow morning, indian time.
-balaji

Re: Squid configuration

U.SivaKumar_2 — Mon, 14 Jul 2003 14:59:54 GMT

Hi,

use identd daemon for windows 98 on all your client PCs. squid is able to listen for identd messages from clients.

Therefore you can now configure ACL by user wise which identd supplies when conecting to squid server.

regards,
U.SivaKumar

Re: Squid configuration

Balaji N — Mon, 14 Jul 2003 15:44:04 GMT

hi

this is what i could recollect

authenticate_program /usr/local/bin/htpasswd /usr/local/squid/etc/passwd

http_deny all

acl classC proxy_auth c1 c2 c3 c4
http_access deny classC

acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex !mail

http_access allow classB classBUrl

acl classA proxy_auth a1 a2 a3 a4
http_access allow classA

++++++++++++++
hope this gives some insight. the only thing i dont remember how to give a file name containing a list of all users instead of specifying them in the acl line itself.

hope this works. post back your config if possible.
-balaji

Re: Squid configuration

Balaji N — Mon, 14 Jul 2003 15:46:11 GMT

hi again

guess
+++++++++++++++++++++++++++++++++++
acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex !mail

http_access allow classB classBUrl
+++++++++++++++++++++++++++++++++++

should be like

+++++++++++++++++++++++++++++++++++
acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex mail chat porn

http_access allow classB !classBUrl
+++++++++++++++++++++++++++++++++++

Re: Squid configuration

Avinoam — Mon, 14 Jul 2003 15:52:28 GMT

hello there

i implemented this kind of configuration at my network and it is working great.
first of all you should make acl's :

acl for your user B :
acl User-B src "/Admin/Squid/User-B"

acl for your user C :
acl User-C src "/Admin/Squid/User-C"

acl for the web-sites that user B can Access :
acl B-sites url_regex "/Admin/Squid/B-sites"

in the User-B acl file you should put the computer name of the computers that need access only to some sites

in the User-C acl file you should put the computer name of the computers that will have no access to the web

in the B-sites acl file you should put the
the sites that you wish to enable for user-B

Ok now that we have all the acl files ready we should put the http_acess Directive in the right formation try :

http_access deny User-C
http_access allow B-sites User-B
http_access deny User-B

good Luck !!

Re: Squid configuration

Jerome Henry — Tue, 15 Jul 2003 02:59:10 GMT

Avinoam got it ! I tried your configuration, and it works perfectly. I just added a slight ncsa_auth touch.

Thanks everyone.

I finally didn't use identd as Windows users can easilly abuse this, loading their own identd. The idea of setting up acls in files seemed to me smarter than writing it down directly in conf file, even if you see from your points Total, Balaji, that I appreciated work and time spent.

:]

J

Re: Squid configuration

Balaji N — Tue, 15 Jul 2003 03:06:25 GMT

:-)
thanks
-balaji

Re: Squid configuration

Stuart Browne — Tue, 15 Jul 2003 03:08:34 GMT

Whilst it's not a bad idea to limit based on workstation, the idea behind limiting to user is better.

All browsers these days have the ability to authenticate to the proxy server. This will then force the user to enter user/pass details in order to gain Web access.

This means that users A can go to any terminal and view their pages, and users B can also go to any terminal and access the same stuff they normally can, and user C can't access squat no matter where they go.

It's a more maulable way of doing things.

Re: Squid configuration

Jerome Henry — Tue, 15 Jul 2003 03:18:10 GMT

Hi Stuart,

Here again is a time zone issue for you !

The idea was merely that the company I design this for is using DHCP and, as you say, users can change their connection machine easily.

Do you have this kind of user based configuration suggestion ?

J

Re: Squid configuration

Balaji N — Tue, 15 Jul 2003 03:21:27 GMT

i think then u can use the configuration sent by me.

do u have the username/password details ready already?

-balaji

Re: Squid configuration

Stuart Browne — Tue, 15 Jul 2003 03:24:00 GMT

*nod*nod* what Balaji said.

The ACL's themselves that the other guy pasted were fine, but instead of the user-list, you'd use Balaji's auth lines. They might be able to take a file-name list of user-names though.. I'm not sure.

Re: Squid configuration

Jerome Henry — Tue, 15 Jul 2003 03:36:38 GMT

Just a way not to leave anyone out.

I getting to the Co. now, I'll pick up users and url lists there !

Have a nice day, I'm leaving all the points for you today :]]

J