MARLON BORBA said: > Squid ubergeeks, > > I am configuring a Squid (2.5-STABLE9 in a Fedora Core 4) to authenticate > users into a LDAP directory. Having succeeded in that configuration, my > next challenge is to implement access control AND logging of users' > accesses to forbidden sites. > > I created two url_regex lists, semacesso.txt for porn and other banned > sites and liberado.txt, which contain regexes for sites that, not being > porn or any other crap, could be blocked because they contain a substring > appearing to be a porn site (eg esSEX.ac.uk). > > I have two problems to solve: > > 1) My Squid.conf relevant lines below: > > [...] > acl autenticados proxy_auth REQUIRED > [...] > acl liberado dstdom_regex "/etc/squid/liberado.txt" > acl semacesso dstdom_regex "/etc/squid/semacesso.txt" > [...] > http_access allow autenticados > > http_access allow liberado > http_access deny semacesso > [...] > # And finally deny all other access to this proxy > http_access allow localhost > http_access deny all > [...] > > In this configuration it allows an authenticated user to access any site, > even the forbidden ones. OTOH, I put the 'liberado' and 'semacesso' lines > ABOVE the authentication line, the user does not access forbidden sites > and Squid logs that into Cache.log, but WITHOUT the lame user's login. Untested: http_access allow localhost http_access deny semacesso autenticados http_access allow autenticados http_access deny all - Allow localhost to do anything - If someone goes to a site in 'semacesso', (s)he'll get a password prompt and if valid credentials are given, access is denied - If someone goes to another site, (s)he'll get a password prompt and if valid credentials are given, access is allowed - And deny the rest If someone presses escape after the password prompt when going to a 'semacesso' site, no username is logged of course, but a 407 (proxy authentication is needed) is logged. > 2) Is there a better way to permit access to non-pornographic sites (eg > esSEX.ac.uk) but block pornographic ones (eg SEX.com)? A content scanning proxy. Unfortunately I don't have any experience with this (the squids I manage either don't have content scanning, or they talk to a parent proxy which does scan but which I don't manage) Joost
