Ankush Grover wrote: > I am using Squid 2.5 on FC3. There are different groups for which I > want to configure squid. (Note: I haven't tried all this...) First question: how do you want to identify users? You can either do this by the IP address of their PCs (which might be simplest), or by insisting that they use usernames and passwords. In that case, you need to work out whether you want to use special proxy passwords, their standard Linux passwords, or something else (LDAP)? You will have to edit /etc/squid/squid.conf in any case. What you will need to do is set up various "access control lists" ("acl"s) and allow or deny access based on these acls. If you want to use IP address, you might use something like acl marketing src 192.168.1.1/255.255.255.240 for computers in the 192.168.1.1 to 192.168.1.15 range. If you want to use passwords, read the notes in squid.conf file around "TAG: auth_param". There are examples in this file: note that the squid RPM has a number of external authentication programs that you can get Squid to use: see rpm -ql squid | grep _auth You can then use something like acl marketing proxy_auth user1 user2 Next you need to set up acls describing what users might want to do: > a) Marketing Executives: > Category Most restrictive > Limit on download for example no object more than 256 kb is allowed > to be downloaded, no messengers allowed, if possible banning of > sending & receiving of attachments through any webbased mail for > example yahoo,gmail etc, banning of downloading of movies,mpeg or > audio files. reply_body_max_size 256000 allow marketing (See http://www.squid-cache.org/Doc/FAQ/FAQ_long.html#ss4.21 : Note that ``creative'' user-agents will still be able to download really large files through the cache using HTTP/1.1 range requests. ) Limiting messengers is difficult: they all use HTTP in different ways. I've got a acl msn rep_mime_type -i ^application/x-msn-messenger$ line in my squid.conf, but I haven't checked that for a while. Best advice is to get hold of all the messenger programs you can, and check the /var/log/squid/access.log to see what they're trying to download. You can similarly try to limit audio/.* files, video/.* files, and other files. Unfortunately, you'll probably also have to try limiting by extensions: acl virustype urlpath_regex -i .pif$ (Internet Explorer, at least, has the reputation of paying more attention to extensions than to MIME filetypes). What you *won't* be able to (easily) do is to stop users downloading zip files containing MPEGs. And gmail and yahoo present attachments for download in the same way as other web sites might present PDFs or Word documents for download: you either ban based on site, or on file type, or both. Once you've got ACLs set up, then you can use http_access rules to limit what users can do. http_access deny marketing msn Hope this helps, James. -- E-mail address: james | How about an Australian-language version? @westexe.demon.co.uk | 'Your program just attempted an illegal instruction. | No worries, mate.' | -- Paul Tomblin -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list