Re: How to limit a user to access a few sites. (SOLVED)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi Roy and calin.kalinix.cosma,


Thanks for your help all the given to me. Finally, I got it done.

Binding an ip address to an username with SQUID and limiting access
of some users with their ips  to a few sites

rules added to squid.conf file

external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f
/etc/squid/ip.conf

acl ncsa_users proxy_auth REQUIRED
acl ip_users external ip_user %SRC %LOGIN

acl clientips src 192.168.101.28 192.168.101.29 192.168.101.30
acl allowedsites url_regex -i "/etc/squid/allowedsites.txt"

http_access deny !ncsa_users
http_access deny !ip_users
http_access deny clientips !allowedsites
http_access allow ip_users clientips
http_access allow ip_users allowedsites
http_access allow ncsa_users clientips
http_access allow ncsa_users allowedsites
http_access deny clientips

Then, created /etc/squid/ip.conf and add the pair (ip and username)

[root@worldnet squid]# cat /etc/squid/ip.conf
192.168.101.25  indunil
192.168.101.26  asanka
192.168.101.28   www28
192.168.101.29  www29
192.168.101.30  www30
192.168.101.90  www90

Then, by using htpasswd, I created /etc/squid/squid_passwd file.

[root@worldnet squid]# cat /etc/squid/squid_passwd
indunil:TeiAQ3uqXDQNg
www:Oi4THedCcN0nQ
web:EEluAdNUco6.g
www90:3CNziF2SkgmAo
www28:eXuWlloKq1mk2
www29:6UH7KXjAZ769o
www30:RtjV9ZZHEzzaA
asanka:gX88uJrvXSV7A

Then, created /etc/squid/allowedsites.txt file.
[root@worldnet squid]# cat /etc/squid/allowedsites.txt
.freebsd.org
ebay
cnn.com
bbc
google


Then, Finally,

[root@worldnet squid]# /etc/init.d/squid restart

THNAKS
INDUNIL


On 3/27/07, Roy Ong <centos-list@xxxxxxxxxx> wrote:
On Tue, 2007-03-27 at 12:58 +0530, Indunil Jayasooriya wrote:
> Hi,
>
>
> >
> > I think you probably need to combine a few rules together.
> > Consider the following
> >
> > acl ncsa_users proxy_auth REQUIRED
> > acl ip_users external ip_user %SRC %LOGIN %DST
>
> > acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com
> >
> > http_access deny !ncsa_users
> > http_access deny !ip_users
> > http_access allow ip_users ALLOWED_DOMAINS
> > http_access allow ncsa_users ALLOWED_DOMAINS
> > http_access deny all
>
> These rules say that ALL the ips have access to google.com bbc.com cnn.com.
>
> That is not What I want.

oh ok - probably i didn't understand your requirements clearly enuff - i
see that you have provide some details below and i'll attempt there.

> This is my senario.
>
> There are about 50 users browsing internet. 3 users out of those 50
> misuse internet.
> So I only want to limit these 3 users.
> Let's say their ips are 192.168.101.25, 192.168.101.26, 192.168.101.30
>
> Now I want to limit these 3 users' internet acsess to google.com
> bbc.com cnn.com.
> AND, the rest of users should have access to whole wolrd.
>
> I wrote below rules. Pls check !!
>
> external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f
> /etc/squid/ip.conf
>
> acl ncsa_users proxy_auth REQUIRED
> acl ip_users external ip_user %SRC %LOGIN
>
> acl clientips src 192.168.101.25 92.168.101.26 192.168.101.30
> acl allowedsites url_regex -i "/etc/squid/allowedsites.txt"
>
> http_access deny !ncsa_users
> http_access deny !ip_users
> http_access allow ip_users clientips
> http_access allow ip_users allowedsites
> http_access allow ncsa_users clientips
> http_access allow ncsa_users allowedsites
> http_access deny clientips

i would probably change to

http_access deny !ncsa_users
http_access deny !ip_users
http_access deny clientips !allowedsites                <---added this
http_access allow ip_users clientips
http_access allow ip_users allowedsites
http_access allow ncsa_users clientips
http_access allow ncsa_users allowedsites
http_access deny clientips

the added statement will DENY access if they belong to "clientips" i.e.
192.168.101.25 or 192.168.101.26 or 192.168.101.30 AND they are trying
to go to a url that is NOT defined in /etc/squid/allowedsites.txt

remembering that http_access statements are carried out in sequence, the
following will probably be true for the above

1. DENY         if NOT ncsa_users
2. DENY         if NOT ip_users
3. DENY         if clientips AND NOT allowedsites
4. ALLOW        if ip_users AND clientips
5. ALLOW        if ip_users AND allowedsites
6. ALLOW        if ncsa_users AND clientips
7. ALLOW        if ncsa_users AND allowedsites
8. DENY         if clientips


> my etc/squid/allowedsites.txt is like this.
> [root@worldnet ~]# cat /etc/squid/allowedsites.txt
> google.com
> bbc.com
> cnn.com
>
>
> But, It still does not work.
>
> Pls help me to solve this issue.
>
>
>
> > Basically, a new ACL was added and the corresponding http_access test,
> > it will only
> >
> > (a) be allowed IF it fulfilled the test of being an ip_users and going
> > to a domain as defined in the ALLOWED_DOMAINS acl
> >
> > ~ or ~
> >
> > (b) be allowed IF it fulfilled the test of being an ncsa_users and going
> > to a domain as defined in the ALLOWED_DOMAINS acl
> >
> > Hope this helps.
> >
> >
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
>



--
Thank you
Indunil Jayasooriya
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux