Hi Roy and calin.kalinix.cosma, Thanks for your help all the given to me. Finally, I got it done. Binding an ip address to an username with SQUID and limiting access of some users with their ips to a few sites rules added to squid.conf file external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf acl ncsa_users proxy_auth REQUIRED acl ip_users external ip_user %SRC %LOGIN acl clientips src 192.168.101.28 192.168.101.29 192.168.101.30 acl allowedsites url_regex -i "/etc/squid/allowedsites.txt" http_access deny !ncsa_users http_access deny !ip_users http_access deny clientips !allowedsites http_access allow ip_users clientips http_access allow ip_users allowedsites http_access allow ncsa_users clientips http_access allow ncsa_users allowedsites http_access deny clientips Then, created /etc/squid/ip.conf and add the pair (ip and username) [root@worldnet squid]# cat /etc/squid/ip.conf 192.168.101.25 indunil 192.168.101.26 asanka 192.168.101.28 www28 192.168.101.29 www29 192.168.101.30 www30 192.168.101.90 www90 Then, by using htpasswd, I created /etc/squid/squid_passwd file. [root@worldnet squid]# cat /etc/squid/squid_passwd indunil:TeiAQ3uqXDQNg www:Oi4THedCcN0nQ web:EEluAdNUco6.g www90:3CNziF2SkgmAo www28:eXuWlloKq1mk2 www29:6UH7KXjAZ769o www30:RtjV9ZZHEzzaA asanka:gX88uJrvXSV7A Then, created /etc/squid/allowedsites.txt file. [root@worldnet squid]# cat /etc/squid/allowedsites.txt .freebsd.org ebay cnn.com bbc google Then, Finally, [root@worldnet squid]# /etc/init.d/squid restart THNAKS INDUNIL On 3/27/07, Roy Ong <centos-list@xxxxxxxxxx> wrote:
On Tue, 2007-03-27 at 12:58 +0530, Indunil Jayasooriya wrote: > Hi, > > > > > > I think you probably need to combine a few rules together. > > Consider the following > > > > acl ncsa_users proxy_auth REQUIRED > > acl ip_users external ip_user %SRC %LOGIN %DST > > > acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com > > > > http_access deny !ncsa_users > > http_access deny !ip_users > > http_access allow ip_users ALLOWED_DOMAINS > > http_access allow ncsa_users ALLOWED_DOMAINS > > http_access deny all > > These rules say that ALL the ips have access to google.com bbc.com cnn.com. > > That is not What I want. oh ok - probably i didn't understand your requirements clearly enuff - i see that you have provide some details below and i'll attempt there. > This is my senario. > > There are about 50 users browsing internet. 3 users out of those 50 > misuse internet. > So I only want to limit these 3 users. > Let's say their ips are 192.168.101.25, 192.168.101.26, 192.168.101.30 > > Now I want to limit these 3 users' internet acsess to google.com > bbc.com cnn.com. > AND, the rest of users should have access to whole wolrd. > > I wrote below rules. Pls check !! > > external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f > /etc/squid/ip.conf > > acl ncsa_users proxy_auth REQUIRED > acl ip_users external ip_user %SRC %LOGIN > > acl clientips src 192.168.101.25 92.168.101.26 192.168.101.30 > acl allowedsites url_regex -i "/etc/squid/allowedsites.txt" > > http_access deny !ncsa_users > http_access deny !ip_users > http_access allow ip_users clientips > http_access allow ip_users allowedsites > http_access allow ncsa_users clientips > http_access allow ncsa_users allowedsites > http_access deny clientips i would probably change to http_access deny !ncsa_users http_access deny !ip_users http_access deny clientips !allowedsites <---added this http_access allow ip_users clientips http_access allow ip_users allowedsites http_access allow ncsa_users clientips http_access allow ncsa_users allowedsites http_access deny clientips the added statement will DENY access if they belong to "clientips" i.e. 192.168.101.25 or 192.168.101.26 or 192.168.101.30 AND they are trying to go to a url that is NOT defined in /etc/squid/allowedsites.txt remembering that http_access statements are carried out in sequence, the following will probably be true for the above 1. DENY if NOT ncsa_users 2. DENY if NOT ip_users 3. DENY if clientips AND NOT allowedsites 4. ALLOW if ip_users AND clientips 5. ALLOW if ip_users AND allowedsites 6. ALLOW if ncsa_users AND clientips 7. ALLOW if ncsa_users AND allowedsites 8. DENY if clientips > my etc/squid/allowedsites.txt is like this. > [root@worldnet ~]# cat /etc/squid/allowedsites.txt > google.com > bbc.com > cnn.com > > > But, It still does not work. > > Pls help me to solve this issue. > > > > > Basically, a new ACL was added and the corresponding http_access test, > > it will only > > > > (a) be allowed IF it fulfilled the test of being an ip_users and going > > to a domain as defined in the ALLOWED_DOMAINS acl > > > > ~ or ~ > > > > (b) be allowed IF it fulfilled the test of being an ncsa_users and going > > to a domain as defined in the ALLOWED_DOMAINS acl > > > > Hope this helps. > > > > > > _______________________________________________ > > CentOS mailing list > > CentOS@xxxxxxxxxx > > http://lists.centos.org/mailman/listinfo/centos > > > >
-- Thank you Indunil Jayasooriya _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
