Search squid archive

Re: [squid-users] AD Authentification and Acl ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 15 May 2005, Phibee Network operation Center wrote:

acl dmz_network src 10.216.1.0/24
http_access allow dmz_network

acl AllowedADUsers external AD_Group "/etc/squid/allowedntgroups"
acl Winbind proxy_auth REQUIRED

http_access allow AllowedADUsers
http_access deny !AllowedADUsers
http_access deny !Winbind


The Winbind ACL is redundant here.

The above three rules could be replaced by simply

http_access allow AllowedADUsers
http_access deny all


These following four lines should be your first http_access lines.

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

The purpose of these lines is to block common abuse of the proxy, and to block they must go before where you allow users access.

1- Actually, when the user are not into a internet group (specified un allowedntgroups)
squid sent a bow for know new login/pass and after he put a "Cache Access Denied" page.

Itr's possible that after see that the user are not into a internet group, he don't want login/pass
and put a specific html page or gif with "Access Denied" ? 

With the above config this is what you should get.

and it's possible that user not in good groups don't have a "cache" ? (if the admin change
group, the user are immediatly Ok) 

See the negative ttl parameter of external_acl_type.

2- I want that the user authentified in "Winbind" but not into a good groups can going to
2 or 3 site, i have put :
acl allow_url dstdomain .pagesjaunes.fr phibee.net
http_access allow allow_url
but that's don't work .. 

In what way doesn't it work?

To more clearly express this you should be using

acl AllUsers proxy_auth REQUIRED
http_access allow AllUsers allow_url

and one of this site put gif located into another web address ... it's possible says "pagesjaunes.fr" + html gift request ? 

No.

Well, you could perhaps play some tricks with the referer_regex acl, but this is inherently insecure as it trusts the client to correctly indicate which web site the object was linked from. Also, as there is no dstdomain type acl looking into the referer attribute you have to use regex patterns.


Regards
Henrik
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux