Hi, I'm having some fun trying to understand how to use the ACL's to restict access to the net, using squid-2.6.STABLE4. Currently on our production Squid 2.5 box we allow some unresticted access to the net based on a static IP address of the users PC. E.g: acl PC001 src 192.168.1.33 acl allow src PC001 All other users are restricted to sites that are not referenced in a banned site lising E.g: acl blockedsites url_regex "/etc/squid/bannedurls" I now have a test box with squid 2.6 up and running, which is properly talking to AD and I have NTLM working perfectly so that squid 2.6 acts as a transparent proxy. I would like to be able to setup 3 groups (InternetAllowed, InternetRestricted and InternetDenied) that are setup on my AD network and would have access as follows; - InternetAllowed members have unrestricted access to websites. - InternetRestricted members have sites provided that they are not referenced in my bannedurl file - InternetDenied members don't get any web use I've tried a simple test (the squid config is below) to get squid to only allow access to the web, if the user was a member of the "InternetAllowed" group, but it's not picking up. Whether the user was in the InternetAllowed group or not they could still access the web. Currently I have the following acl: acl InternetAllowed proxy_auth REQUIRED http_access allow InternetAllowed http_access deny all But this doesn't seem to do the job, I also tried "http_access deny !InternetAllowed" instead of the "http_access allow InternetAllowed" entry but this didn't work either. Is the problem down to the "acl InternetAllowed proxy_auth REQUIRED" line? Should I have something in the syntax to reference the external grouping on the AD controllers? If I run "wbinfo -g |grep -i internet" I get the following back InternetAllowed InternetRestricted InternetDenied Any assistance you can provide would be most appreciated. I am hoping to create a document with all the steps I used, I would be willing to post this if it is of assistance to others. PD ===squid.conf===== acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl InternetAllowed proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow InternetAllowed http_access deny all
