HPE Community
Operating System - Linux
1828895 Members
2214 Online
109985 Solutions
New Discussion

Squid configuration

 
SOLVED
Go to solution
Jerome Henry
Honored Contributor

‎07-14-2003 05:31 AM

‎07-14-2003 05:31 AM

Squid configuration

Hi everyone,

Few questions today, here's one :

I'm setting up a squid proxy, for about 300 machines network, all mixed Unix all kinds and windows all versions.

I want to creat 3 kinds of users :
- user A : can freely access all the web ;
- user B : can access only some sites, I'll define in access list ;
- user C : can't access the web.

I know how to set up access list, I guess how to set up ncsa_auth, but I'm stuck on how to make people identify themselves, and then use this identification to apply the required access list.

Any idea ? Maybe this ident stuff (but how does it work) ?

Tks

J
You can lean only on what resists you...
0 Kudos
Reply
14 REPLIES 14
Balaji N
Honored Contributor

‎07-14-2003 06:12 AM

‎07-14-2003 06:12 AM

Re: Squid configuration

hi

i am not sure if i understood ur question correctly. i had implemented squid for someone sometime back and this is what i remember.


1. use three different files containing the list of users for different category.

2. first use the http_deny for the user C

3. then http_allow for user B with site list

4. then http_allow for user A

since squid reads the acl from top to bottom, it will server your purpose.

did i get u right.
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
0 Kudos
Reply
Jerome Henry
Honored Contributor

‎07-14-2003 06:21 AM

‎07-14-2003 06:21 AM

Re: Squid configuration

Could you detail a little more ? Some kid of example ACL ? How do I use your files ?

Hey, you're about to be Lnx Wzd too soon ! Maybe today (my time) : don't sleep tonight when on US daylight time !

J
You can lean only on what resists you...
0 Kudos
Reply
Balaji N
Honored Contributor

‎07-14-2003 07:46 AM

‎07-14-2003 07:46 AM

Re: Squid configuration

give me some time. need to read thru the man pages before i comment. may be if not tonight, tomorrow morning, indian time.
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎07-14-2003 07:59 AM

‎07-14-2003 07:59 AM

Re: Squid configuration

Hi,

use identd daemon for windows 98 on all your client PCs. squid is able to listen for identd messages from clients.

Therefore you can now configure ACL by user wise which identd supplies when conecting to squid server.

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
Balaji N
Honored Contributor

‎07-14-2003 08:44 AM

‎07-14-2003 08:44 AM

Re: Squid configuration

hi

this is what i could recollect


authenticate_program /usr/local/bin/htpasswd /usr/local/squid/etc/passwd

http_deny all

acl classC proxy_auth c1 c2 c3 c4
http_access deny classC

acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex !mail


http_access allow classB classBUrl

acl classA proxy_auth a1 a2 a3 a4
http_access allow classA

++++++++++++++
hope this gives some insight. the only thing i dont remember how to give a file name containing a list of all users instead of specifying them in the acl line itself.

hope this works. post back your config if possible.
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
0 Kudos
Reply
Balaji N
Honored Contributor

‎07-14-2003 08:46 AM

‎07-14-2003 08:46 AM

Re: Squid configuration

hi again

guess
+++++++++++++++++++++++++++++++++++
acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex !mail


http_access allow classB classBUrl
+++++++++++++++++++++++++++++++++++

should be like

+++++++++++++++++++++++++++++++++++
acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex mail chat porn


http_access allow classB !classBUrl
+++++++++++++++++++++++++++++++++++
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
0 Kudos
Reply
Avinoam
Frequent Advisor

‎07-14-2003 08:52 AM

‎07-14-2003 08:52 AM

Solution

Re: Squid configuration

hello there

i implemented this kind of configuration at my network and it is working great.
first of all you should make acl's :

acl for your user B :
acl User-B src "/Admin/Squid/User-B"

acl for your user C :
acl User-C src "/Admin/Squid/User-C"

acl for the web-sites that user B can Access :
acl B-sites url_regex "/Admin/Squid/B-sites"


in the User-B acl file you should put the computer name of the computers that need access only to some sites

in the User-C acl file you should put the computer name of the computers that will have no access to the web

in the B-sites acl file you should put the
the sites that you wish to enable for user-B

Ok now that we have all the acl files ready we should put the http_acess Directive in the right formation try :

http_access deny User-C
http_access allow B-sites User-B
http_access deny User-B

good Luck !!


Sababa
Reply
Jerome Henry
Honored Contributor

‎07-14-2003 07:59 PM

‎07-14-2003 07:59 PM

Re: Squid configuration

Avinoam got it ! I tried your configuration, and it works perfectly. I just added a slight ncsa_auth touch.

Thanks everyone.

I finally didn't use identd as Windows users can easilly abuse this, loading their own identd. The idea of setting up acls in files seemed to me smarter than writing it down directly in conf file, even if you see from your points Total, Balaji, that I appreciated work and time spent.

:]

J
You can lean only on what resists you...
0 Kudos
Reply
Balaji N
Honored Contributor

‎07-14-2003 08:06 PM

‎07-14-2003 08:06 PM

Re: Squid configuration

:-)
thanks
-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-14-2003 08:08 PM

‎07-14-2003 08:08 PM

Re: Squid configuration

Whilst it's not a bad idea to limit based on workstation, the idea behind limiting to user is better.

All browsers these days have the ability to authenticate to the proxy server. This will then force the user to enter user/pass details in order to gain Web access.

This means that users A can go to any terminal and view their pages, and users B can also go to any terminal and access the same stuff they normally can, and user C can't access squat no matter where they go.

It's a more maulable way of doing things.
One long-haired git at your service...
0 Kudos
Reply
Jerome Henry
Honored Contributor

‎07-14-2003 08:18 PM

‎07-14-2003 08:18 PM

Re: Squid configuration

Hi Stuart,

Here again is a time zone issue for you !

The idea was merely that the company I design this for is using DHCP and, as you say, users can change their connection machine easily.

Do you have this kind of user based configuration suggestion ?

J
You can lean only on what resists you...
0 Kudos
Reply
Balaji N
Honored Contributor

‎07-14-2003 08:21 PM

‎07-14-2003 08:21 PM

Re: Squid configuration

i think then u can use the configuration sent by me.

do u have the username/password details ready already?

-balaji
Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-14-2003 08:24 PM

‎07-14-2003 08:24 PM

Re: Squid configuration

*nod*nod* what Balaji said.

The ACL's themselves that the other guy pasted were fine, but instead of the user-list, you'd use Balaji's auth lines. They might be able to take a file-name list of user-names though.. I'm not sure.
One long-haired git at your service...
0 Kudos
Reply
Jerome Henry
Honored Contributor

‎07-14-2003 08:36 PM

‎07-14-2003 08:36 PM

Re: Squid configuration

Just a way not to leave anyone out.

I getting to the Co. now, I'll pick up users and url lists there !

Have a nice day, I'm leaving all the points for you today :]]

J
You can lean only on what resists you...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.