Solved: Re: Squid configuration

Jerome Henry · ‎07-14-2003

Hi everyone,

Few questions today, here's one :

I'm setting up a squid proxy, for about 300 machines network, all mixed Unix all kinds and windows all versions.

I want to creat 3 kinds of users :
- user A : can freely access all the web ;
- user B : can access only some sites, I'll define in access list ;
- user C : can't access the web.

I know how to set up access list, I guess how to set up ncsa_auth, but I'm stuck on how to make people identify themselves, and then use this identification to apply the required access list.

Any idea ? Maybe this ident stuff (but how does it work) ?

Tks

J

You can lean only on what resists you...

Balaji N · ‎07-14-2003

hi

i am not sure if i understood ur question correctly. i had implemented squid for someone sometime back and this is what i remember.

1. use three different files containing the list of users for different category.

2. first use the http_deny for the user C

3. then http_allow for user B with site list

4. then http_allow for user A

since squid reads the acl from top to bottom, it will server your purpose.

did i get u right.
-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Jerome Henry · ‎07-14-2003

Could you detail a little more ? Some kid of example ACL ? How do I use your files ?

Hey, you're about to be Lnx Wzd too soon ! Maybe today (my time) : don't sleep tonight when on US daylight time !

J

You can lean only on what resists you...

Balaji N · ‎07-14-2003

give me some time. need to read thru the man pages before i comment. may be if not tonight, tomorrow morning, indian time.
-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

U.SivaKumar_2 · ‎07-14-2003

Hi,

use identd daemon for windows 98 on all your client PCs. squid is able to listen for identd messages from clients.

Therefore you can now configure ACL by user wise which identd supplies when conecting to squid server.

regards,
U.SivaKumar

Innovations are made when conventions are broken

Balaji N · ‎07-14-2003

hi

this is what i could recollect

authenticate_program /usr/local/bin/htpasswd /usr/local/squid/etc/passwd

http_deny all

acl classC proxy_auth c1 c2 c3 c4
http_access deny classC

acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex !mail

http_access allow classB classBUrl

acl classA proxy_auth a1 a2 a3 a4
http_access allow classA

++++++++++++++
hope this gives some insight. the only thing i dont remember how to give a file name containing a list of all users instead of specifying them in the acl line itself.

hope this works. post back your config if possible.
-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Balaji N · ‎07-14-2003

hi again

guess
+++++++++++++++++++++++++++++++++++
acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex !mail

http_access allow classB classBUrl
+++++++++++++++++++++++++++++++++++

should be like

+++++++++++++++++++++++++++++++++++
acl classB proxy_auth b1 b2 b3 b4
acl classBUrl url_regex mail chat porn

http_access allow classB !classBUrl
+++++++++++++++++++++++++++++++++++

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Avinoam · ‎07-14-2003

hello there

i implemented this kind of configuration at my network and it is working great.
first of all you should make acl's :

acl for your user B :
acl User-B src "/Admin/Squid/User-B"

acl for your user C :
acl User-C src "/Admin/Squid/User-C"

acl for the web-sites that user B can Access :
acl B-sites url_regex "/Admin/Squid/B-sites"

in the User-B acl file you should put the computer name of the computers that need access only to some sites

in the User-C acl file you should put the computer name of the computers that will have no access to the web

in the B-sites acl file you should put the
the sites that you wish to enable for user-B

Ok now that we have all the acl files ready we should put the http_acess Directive in the right formation try :

http_access deny User-C
http_access allow B-sites User-B
http_access deny User-B

good Luck !!

Sababa

Jerome Henry · ‎07-14-2003

Avinoam got it ! I tried your configuration, and it works perfectly. I just added a slight ncsa_auth touch.

Thanks everyone.

I finally didn't use identd as Windows users can easilly abuse this, loading their own identd. The idea of setting up acls in files seemed to me smarter than writing it down directly in conf file, even if you see from your points Total, Balaji, that I appreciated work and time spent.

:]

J

You can lean only on what resists you...

Balaji N · ‎07-14-2003

:-)
thanks
-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Stuart Browne · ‎07-14-2003

Whilst it's not a bad idea to limit based on workstation, the idea behind limiting to user is better.

All browsers these days have the ability to authenticate to the proxy server. This will then force the user to enter user/pass details in order to gain Web access.

This means that users A can go to any terminal and view their pages, and users B can also go to any terminal and access the same stuff they normally can, and user C can't access squat no matter where they go.

It's a more maulable way of doing things.

One long-haired git at your service...

Jerome Henry · ‎07-14-2003

Hi Stuart,

Here again is a time zone issue for you !

The idea was merely that the company I design this for is using DHCP and, as you say, users can change their connection machine easily.

Do you have this kind of user based configuration suggestion ?

J

You can lean only on what resists you...

Balaji N · ‎07-14-2003

i think then u can use the configuration sent by me.

do u have the username/password details ready already?

-balaji

Its Always Important To Know, What People Think Of You. Then, Of Course, You Surprise Them By Giving More.

Stuart Browne · ‎07-14-2003

*nod*nod* what Balaji said.

The ACL's themselves that the other guy pasted were fine, but instead of the user-list, you'd use Balaji's auth lines. They might be able to take a file-name list of user-names though.. I'm not sure.

One long-haired git at your service...

Jerome Henry · ‎07-14-2003

Just a way not to leave anyone out.

I getting to the Co. now, I'll pick up users and url lists there !

Have a nice day, I'm leaving all the points for you today :]]

J

You can lean only on what resists you...