Search squid archive

Re: ACLs and localhost

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



paul cooper wrote:
so is what i want to do actually possible  ?

If I understand your intentions correctly yes it is:

  http_access deny !Safe_ports
  http_access emma weekends
  http_access andrew
  http_access deny

non-safe port access denied
emma only logging in on weekends, not accepted otherwise.
andrew logging in anytime.
nobody else allowed.


unixlogin emma logged into VT7
unixlogin andrew -> VT8

web page request from either -> squid requests login

if its emma & !testing -> access denied
if its emma & testing -> access allowed

switch to VT8 ( andrews desktop)
web page request ->  squid requests login
if its andrew -> access allowed
if its emma  && !testing (eg kids messing around)  -> access denied



hepworth squid # grep ^auth_param /etc/squid/squid.conf
auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/htpasswd
hepworth squid # grep ^acl  /etc/squid/squid.conf | grep -v '#'
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl andrew proxy_auth REQUIRED
acl emma proxy_auth REQUIRED
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl testing  time MTWHF 07:30-08:00
hepworth squid # grep ^http  /etc/squid/squid.conf | grep -v '#'
http_port 3128
http_access allow emma testing
http_access allow andrew
http_access deny all
hepworth squid #


008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found
2008/03/25 15:04:03| aclMatchAclList: returning 1
2008/03/25 15:04:03| aclCheck: checking 'http_access allow emma testing'
2008/03/25 15:04:03| aclMatchAclList: checking emma
2008/03/25 15:04:03| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7cc8'
2008/03/25 15:04:03| aclMatchAclList: checking testing
2008/03/25 15:04:03| aclMatchAcl: checking 'acl testing  time MTWHF
07:30-08:00'
2008/03/25 15:04:03| aclMatchTime: checking 904 in 450-480, weekbits=3e
2008/03/25 15:04:03| aclMatchAclList: no match, returning 0
2008/03/25 15:04:03| aclCheck: checking 'http_access allow andrew '
2008/03/25 15:04:03| aclMatchAclList: checking andrew
2008/03/25 15:04:03| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED'
2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7d38'

but i havent AFAIK logged in , in this browser session, as andrew  ( the
browser cache is  flushed when its closed

so is this login stored in the cache somewhere ?
I need to flush the cache when i change user ?


2008/03/25 15:04:03| aclMatchAclList: returning 1
2008/03/25 15:04:03| aclCheck: match found, returning 1
2008/03/25 15:04:03| aclCheckCallback: answer=1
2008/03/25 15:04:03| The request GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'andrew'
2008/03/25 15:04:03| aclCheck: checking 'cache deny QUERY'
2008/03/25 15:04:03| aclMatchAclList: checking QUERY
2008/03/25 15:04:03| aclMatchAcl: checking 'acl QUERY urlpath_regex
cgi-bin \?'
2008/03/25 15:04:03| aclMatchRegex: checking '/favicon.ico'
2008/03/25 15:04:03| aclMatchRegex: looking for 'cgi-bin'
2008/03/25 15:04:03| aclMatchRegex: looking for '\?'
2008/03/25 15:04:03| aclMatchAclList: no match, returning 0
2008/03/25 15:04:03| aclCheck: NO match found, returning 1
2008/03/25 15:04:03| aclCheckCallback: answer=1
2008/03/25 15:04:03| aclCheckFast: list: 0x8481608
2008/03/25 15:04:03| aclMatchAclList: checking all
2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found
2008/03/25 15:04:03| aclMatchAclList: returning 1
2008/03/25 15:04:03| aclCheck: checking 'http_reply_access allow all'
2008/03/25 15:04:03| aclMatchAclList: checking all
2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found
2008/03/25 15:04:03| aclMatchAclList: returning 1
2008/03/25 15:04:03| aclCheck: match found, returning 1
2008/03/25 15:04:03| aclCheckCallback: answer=1
2008/03/25 15:04:03| The reply for GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'all'





--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux