Squid configuration

 
SOLVED
Go to solution
Jerome Henry
Honored Contributor

Squid configuration

Hi everyone,

Few questions today, here's one :

I'm setting up a squid proxy, for about 300 machines network, all mixed Unix all kinds and windows all versions.

I want to creat 3 kinds of users :
- user A : can freely access all the web ;
- user B : can access only some sites, I'll define in access list ;
- user C : can't access the web.

I know how to set up access list, I guess how to set up ncsa_auth, but I'm stuck on how to make people identify themselves, and then use this identification to apply the required access list.

Any idea ? Maybe this ident stuff (but how does it work) ?

Tks

J
You can lean only on what resists you...
14 REPLIES 14
Balaji N
Honored Contributor

Re: Squid configuration

hi

i am not sure if i understood ur question correctly. i had implemented squid for someone sometime back and this is what i remember.


1. use three different files containing the list of users for different category.

2. first use the http_deny for the user C

3. then http_allow for user B with site list

4. then http_allow for user A

since squid reads the acl from top to bottom, it will server your purpose.

did i get u right.
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
Jerome Henry
Honored Contributor

Re: Squid configuration

Could you detail a little more ? Some kid of example ACL ? How do I use your files ?

Hey, you're about to be Lnx Wzd too soon ! Maybe today (my time) : don't sleep tonight when on US daylight time !

J
You can lean only on what resists you...
Balaji N
Honored Contributor

Re: Squid configuration

give me some time. need to read thru the man pages before i comment. may be if not tonight, tomorrow morning, indian time.
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
U.SivaKumar_2
Honored Contributor

Re: Squid configuration

Hi,

use identd daemon for windows 98 on all your client PCs. squid is able to listen for identd messages from clients.

Therefore you can now configure ACL by user wise which identd supplies when conecting to squid server.

regards,
U.SivaKumar
Innovations are made when conventions are broken
Balaji N
Honored Contributor

Re: Squid configuration

hi

this is what i could recollect


authenticate_program /usr/local/bin/htpasswd /usr/local/squid/etc/passwd

http_deny all

acl classC proxy_auth c1 c2 c3 c4
http_access deny classC

acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex !mail


http_access allow classB classBUrl

acl classA proxy_auth a1 a2 a3 a4
http_access allow classA

++++++++++++++
hope this gives some insight. the only thing i dont remember how to give a file name containing a list of all users instead of specifying them in the acl line itself.

hope this works. post back your config if possible.
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
Balaji N
Honored Contributor

Re: Squid configuration

hi again

guess
+++++++++++++++++++++++++++++++++++
acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex !mail


http_access allow classB classBUrl
+++++++++++++++++++++++++++++++++++

should be like

+++++++++++++++++++++++++++++++++++
acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex mail chat porn


http_access allow classB !classBUrl
+++++++++++++++++++++++++++++++++++
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
Avinoam
Frequent Advisor
Solution

Re: Squid configuration

hello there

i implemented this kind of configuration at my network and it is working great.
first of all you should make acl's :

acl for your user B :
acl User-B src "/Admin/Squid/User-B"

acl for your user C :
acl User-C src "/Admin/Squid/User-C"

acl for the web-sites that user B can Access :
acl B-sites url_regex "/Admin/Squid/B-sites"


in the User-B acl file you should put the computer name of the computers that need access only to some sites

in the User-C acl file you should put the computer name of the computers that will have no access to the web

in the B-sites acl file you should put the
the sites that you wish to enable for user-B

Ok now that we have all the acl files ready we should put the http_acess Directive in the right formation try :

http_access deny User-C
http_access allow B-sites User-B
http_access deny User-B

good Luck !!


Sababa
Jerome Henry
Honored Contributor

Re: Squid configuration

Avinoam got it ! I tried your configuration, and it works perfectly. I just added a slight ncsa_auth touch.

Thanks everyone.

I finally didn't use identd as Windows users can easilly abuse this, loading their own identd. The idea of setting up acls in files seemed to me smarter than writing it down directly in conf file, even if you see from your points Total, Balaji, that I appreciated work and time spent.

:]

J
You can lean only on what resists you...
Balaji N
Honored Contributor

Re: Squid configuration

:-)
thanks
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.