HPE Community
Operating System - Linux
1820646 Members
2028 Online
109626 Solutions
New Discussion юеВ

Re: Controling interenet access with Squid proxy

 
mvr
Regular Advisor

тАО05-23-2005 02:44 AM

тАО05-23-2005 02:44 AM

Controling interenet access with Squid proxy

I would like to know if it is possible to control user access to internet with Squid proxy. I would like to be able to restrict some users to use just a few websites (like lookup for UPS or FedEx) and the rest should be unavailable for them.
Do I need to user RADIUS server for authentication, or Squid proxy can authenticate them?

Miro
0 Kudos
Reply
7 REPLIES 7
Ian Meyer_2
Occasional Advisor

тАО05-23-2005 03:21 AM

тАО05-23-2005 03:21 AM

Re: Controling interenet access with Squid proxy

You can control access through squid using ACL's in the squid.conf file.

acl ups dstdomain www.ups.com
http_access deny all
http_access allow ups

A good resource is the Squid faq located here: http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.1

It explains ACL's and the different ways you can go about setting them up quite well.
0 Kudos
Reply
mvr
Regular Advisor

тАО05-23-2005 03:31 AM

тАО05-23-2005 03:31 AM

Re: Controling interenet access with Squid proxy


Thank you for information. This looks to me like it will deny access for EVERYBODY to anything except UPS. My next question would be if I could accomplish the same, but based on a single user or group.

Miro
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО05-23-2005 03:44 AM

тАО05-23-2005 03:44 AM

Re: Controling interenet access with Squid proxy

Squid has a number of different authentication plugins (i'm sure there's a radius one around somewhere), and yes, you can tie the logged-in-user to given acl classes.

The FAQ (url in the previous answer) has all the answers you are looking for. Just read through it a bit more, and you'll answer your questions.
One long-haired git at your service...
0 Kudos
Reply
Ian Meyer_2
Occasional Advisor

тАО05-23-2005 03:55 AM

тАО05-23-2005 03:55 AM

Re: Controling interenet access with Squid proxy

Depending on how complex your network is, you
could use something like the following:

acl client src 192.168.2.0
acl domain dstdomain .ups.com
http_access allow client domain
http_access deny all

If you are looking to implement this for more than 10 users, I would look into proxy_auth.. you can find all of the relevant informaton for proxy_auth here: http://www.squid-cache.org/Doc/FAQ/FAQ-19.html#configuring-proxy-auth
0 Kudos
Reply
mvr
Regular Advisor

тАО05-23-2005 05:34 AM

тАО05-23-2005 05:34 AM

Re: Controling interenet access with Squid proxy

I read the document that you sent me. A lot of great information.
I still don't understaned how can this be done if the Squid proxy is in DMZ, and computers are running in trusted zone.

Miro
0 Kudos
Reply
Ian Meyer_2
Occasional Advisor

тАО05-23-2005 05:44 AM

тАО05-23-2005 05:44 AM

Re: Controling interenet access with Squid proxy

Not knowing your network topology, I can only add that Squid knows who is accessing it and what IP they are coming from as long as that IP address is not forwarded by a firewall or anything similar. So as long as Squid can see each machine's individual IP address you should be fine.. if not, that's a definite need for proxy_auth.

Does that make any sense?
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО05-23-2005 12:13 PM

тАО05-23-2005 12:13 PM

Re: Controling interenet access with Squid proxy

Given that you've got a trusted (which is probably being NAT'd out), and Squid in the DMZ (Huh? why? Put that inside too!), you'd probably have to go with some form of user authentication..

Expanding on Ian's example..

acl Courier_Users proxy_auth
acl ALL proxy_auth REQUIRED
acl domain dstdomain .ups.com .fedex.com
http_access allow Courier_Users domain
http_access deny all Courier_Users

(expanded from sections 10 and 19 of the FAQ)

You'll need to set up an external Auth program (see the documentation on that), but this should restrict '' etc. to only accessing those domains.

If you aren't in a NAT'd environment, then you can tie it down to workstation, either by src, or by something else.
One long-haired git at your service...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.