Aidan Gullickson wrote:
Hello,
I am attempting to set up an acl for our IT staff so that they are not
subject to any of the other restrictions we have specified in our
squid.conf file. I am having difficulty getting this running properly.
I did spend several hours searching the archives and Google and was
unable to find anything specifically on this topic, however I apologize
if this has been asked before.
Our proxy server is running FreeBSD 6.2, and we are on squid version
2.6. Our squid.conf file is fairly complex and we are using it to block
content such as streaming audio and video, IM, social networking sites,
downloading executables, etc. I want to add an additional acl that
would allow certain users open access, without being subject to any of
the other blocks we have set up. We are authenticating users against
our LDAP server via proxy_auth.
What I have in place right now is the following:
# IT staff members allowed unrestricted access
acl IT_staff proxy_auth user1 user2 user3 user4
This line is near the top of our squid.conf. Much further along, nearly
at the bottom, I have the following line:
http_access allow IT_staff
I have also experimented with:
http_access allow IT_staff all
Those two lines are identical in meaning to squid. Second just takes
longer to test.
Those users in the group IT_staff are able to browse web sites without
any restrictions, however I'm having a few side effects. One is that I
get a lot of false positive matches with sites being denied to non
IT_staff users because they match "IT_staff".
You obviously have a "deny ... IT_Staff" or an "allow ... !IT_Staff" in
the config somewhere.
Using 'IT_Staff' as the last acl on the *_access line will cause its
name to be used in error page if the entire *_access results in denial.
Could anyone advise on either how to correct what I have going on now,
or how to just set up an acl that would allow unrestricted access for a
group of users, specified by username?
You have located the best way. Just not using it right.
Amos
