Search squid archive

Re: How to limit web browsing for some ipadresses.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Indunil Jayasooriya wrote:

Hi ,

I am now running squid with ncsa_auth.

I have bound ip addresses to usernames. So users now can access
Internet from their ips.

Now I want a few users to prevent from accessing all the sites. But
Instead, I want them to allow to access a few sites scuh as
google.com,cnn.com ,bbc.com. I want to limit in that way.
I have wriiten below rules. But those users still can access all the sites. 

external_acl_type ip_user %SRC %LOGIN %DST
/usr/lib/squid/ip_user_check -f /etc/squid/ip.conf

acl ncsa_users proxy_auth REQUIRED
acl ip_users external ip_user %SRC %LOGIN %DST

http_access deny !ncsa_users
http_access deny !ip_users
http_access allow ip_users
http_access allow ncsa_users

my ip.conf file is like this.
[root@worldnet squid]# cat /etc/squid/ip.conf
192.168.101.25   indunil .google.com .bbc.com .cnn.com
192.168.101.90  www90

Accoring to the above file, User indunil with ip address
192.168.101.25 has access to google.com,bbc.com and cnn.com.
But the user indunil of ip address 192.168.101.25 still has access to
all the sites.

I want ip address 192.168.101.25 to allow above urls.

How can I solve this?



From the ip_user_check README:

It works by reading a pair composed by an ip address and an username
on STDIN and matching it against a configuration file.
...
If the program finds a matching username/ip in the configuration file,
it returns `OK', or `ERR' otherwise.
Nothing in there about limiting what sites said username can access, as it was designed to limit the pairing of authentication and IP (preventing the a specific login from being used from certain computers). 

To do what you want...

# Define our network
acl our_networks src 192.168.101/24
# ACL that matches indunil's authentication credentials
acl indunil AUTH indunil
# ACL that matches indunil's limited IP
acl IP25 src 192.168.101.25
# ACL that limit's indunil's surfing destinations
acl indunilSiteList dstdomain .google.com .bbc.com .cnn.com
...
# Allow access to certain sites for indunil on specific IP
http_access allow indunil IP25 indunilSiteList
# Deny any other access for indunil from 192.168.101.25
http_access deny indunil IP25
...
http_access allow our_networks
http_access deny all
Salt to taste. Creating a script to parse the file you have created (and allow or deny appropriately) would certainly be possible (and quite a bit more flexible). I haven't the time at the moment, but it is an intriguing problem. 

Chris
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux