> -----Original Message----- > From: MARLON BORBA [mailto:MBORBA@xxxxxxxxxxx] > Sent: Friday, August 19, 2005 3:17 PM > To: squid-users@xxxxxxxxxxxxxxx > Subject: configuring Squid to authenticate AND to log > users' access toforbidden sites. > > > Squid ubergeeks, > > I am configuring a Squid (2.5-STABLE9 in a Fedora Core 4) to > authenticate users into a LDAP directory. Having succeeded in > that configuration, my next challenge is to implement access > control AND logging of users' accesses to forbidden sites. > > I created two url_regex lists, semacesso.txt for porn and > other banned sites and liberado.txt, which contain regexes > for sites that, not being porn or any other crap, could be > blocked because they contain a substring appearing to be a > porn site (eg esSEX.ac.uk). > > I have two problems to solve: > > 1) My Squid.conf relevant lines below: > > [...] > acl autenticados proxy_auth REQUIRED > [...] > acl liberado dstdom_regex "/etc/squid/liberado.txt" > acl semacesso dstdom_regex "/etc/squid/semacesso.txt" > [...] > http_access allow autenticados I am imagining that you don't want to permit anyone to surf without authentication. In such a case... http_access deny !authenticados ...would be a better fit. After the first matching http_access line squid stops processing, so the next two lines were never being tested. With the suggested change, authentication will be required, but will not be a "free pass" to surf. > > http_access allow liberado > http_access deny semacesso > [...] > # And finally deny all other access to this proxy > http_access allow localhost > http_access deny all > [...] > > In this configuration it allows an authenticated user to > access any site, even the forbidden ones. OTOH, I put the > 'liberado' and 'semacesso' lines ABOVE the authentication > line, the user does not access forbidden sites and Squid logs > that into Cache.log, but WITHOUT the lame user's login. > > 2) Is there a better way to permit access to non-pornographic > sites (eg esSEX.ac.uk) but block pornographic ones (eg SEX.com)? > Perhaps someone else will have a good answer to this question. I'm not using Squid for content filtering. > TIA, > > Marlon Borba, CISSP. > > Chris
