Paul Cocker wrote:
As those of you watching this list will be aware, I am currently setting up a whole load of exciting website blocks. Since blocking facebook I doubt I have more than a couple of days left to live.
Well, its been nice seeing you.
What I'm looking for is an easy way to create exceptions. Our Sales and Marketing departments need to bypass the shopping site block, because going to such sites is part of their job. I can do this in the following ways: 1. Setup an acl linking to the AD group for sales and one for for marketing, then setup a whitelist acl which links to the shopping blacklist, I then add an http_access allow line above the blocks calling this whitelist if you're authenticated AND in sales, and then another such line for marketing.
tricksey, very tricksey.
2. Setup an AD group called shoppingexceptions and add sales and marketing users to it. I create an acl which looks at this group and then modify the shopping line to http_access deny !shoppingexceptions shopping. I am currently using method 2, but the squidNT's AD group checker cannot handle groups within groups, so I can't have an exception group containing the sales and marketing groups, I have to export those groups and put the user's into the exceptions group. So, my question is, can I: a) List multiple exceptions to a rule on a single line e.g. http_access deny !sales !marketing shopping
Yes. The above translates directly to a boolean: !S && !M && shop
b) Handle it in another, more elegant way?
Maybe. The limit is in the auth helper, not squid itself, so a better auth helper would solve it.
Obviously the idea is that no administrative effort is required on our part, someone joins sales and they automatically get the relevant exceptions.
Amos
