Search squid archive

per-acl error messages not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm obviously doing something wrong with my ACLs, and would appreciate
any advice.  

We require authentication via radius, and we only allow each user to
be logged on from workstation at a time.  Anyone logged on to a server
can access the Internet from multiple machines (i.e., for maintenance
periods where one admin might be running updates on several boxes
simultaneously).

If a user logs in from too many machines, or if he enters a wrong
password, he gets the error message in ERR_NO_SHARING.  I would expect
a user who signs on too often to get ERR_NO_SHARING and a user who
fails to authenticate to get the default ERR_CACHE_ACCESS_DENIED.

Instead, all users get ERR_NO_SHARING.  I would like to give the users
a useful error message, but obviously I am missing something.

The ACL portion of my squid.conf follows.

Thanks for any suggestions,
==ml

--

error_directory /etc/squid/errors

auth_param basic program /usr/local/squid/libexec/squid_radius_auth_new -f /etc/squid/squid_radius_auth.conf

auth_param basic children 5
auth_param basic realm 'Web'

#confirm our login is still good via Radius at this interval;
#this is not the time between password query popups at user's browser!
authenticate_ttl 15 minutes

acl all src 0.0.0.0/0.0.0.0	# all sources

acl manager proto cache_object	# internal cache manager

acl localhost src 127.0.0.1/255.255.255.255  # This computer's loopback source
acl to_localhost dst 127.0.0.0/8 # This computer's loopback destinations

acl PURGE method PURGE

acl Safe_ports port 80		# http
acl Safe_ports port 20		# ftp
acl Safe_ports port 21		# ftp-data
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

acl radius_auth proxy_auth REQUIRED

acl no_auth_src src "/etc/squid/noauth_src.list"
acl no_auth_dst dst "/etc/squid/noauth_dst.list"
acl no_auth_hostdst dstdomain "/etc/squid/noauth_hostdst"

#Don't share password
authenticate_ip_ttl 60 seconds
acl noPwSharing max_user_ip 1
deny_info ERR_NO_SHARING noPwSharing
#allow server networks more leeway for administration
acl serverPwSharing max_user_ip 5
deny_info ERR_NO_SHARING serverPwSharing

#Our internal networks; one for source, one for dest

acl our_networks src 10.0.0.0/8 127.0.0.0/8
acl our_servers dst 10.0.0.0/8 127.0.0.0/8

acl server_network src 10.184.1.0/24

acl our_domains dstdomain internal.com

acl CONNECT method CONNECT	# Http Connect method

#Only the local machine can see cache manager
http_access allow manager localhost
http_access deny manager

#management acl
http_access allow PURGE localhost
http_access deny PURGE

#block connections to unsafe ports
http_access deny !Safe_ports

#Allow everyone through to some sites without auth
http_access allow no_auth_dst
http_access allow no_auth_src
http_access allow no_auth_hostdst

#Everyone can access internal servers
always_direct allow our_domains

#servers can have one user connect multiple times
http_access allow server_network radius_auth

#clients may only log in from one IP at a time.
http_access deny noPwSharing

#Clients must auth to radius to leave our network
http_access allow our_networks radius_auth  

#everyone else is denied access
http_access deny all

#everyone can reply
http_reply_access allow all

#nobody may use this as a peer proxy
icp_access deny all




-- 
Michael W. Lucas 	mwlucas@xxxxxxxxxxxxxxxxxxxx, mwlucas@xxxxxxxxxxx
		http://www.BlackHelicopters.org/~mwlucas/
      Coming Soon: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com
On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux