Search squid archive

Re: acl question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Houselander (SME) wrote:
Hi

Ive been using IP's in acl's to restrict access to squid, a redirector
(squidguard) and a parent proxy (virus scanning proxy)

This has been working fine and part of my squid.conf is below

# Everything ACL - goes via parent and squidguard
acl everything src "/etc/squid/acl/everything"
http_access allow everything
never_direct allow everything
redirector_access allow everything

# nothing ACL stops parent and redirector
acl nothing src "/etc/squid/acl/nothing"
http_access allow nothing
always_direct allow nothing
redirector_access deny nothing

# noparent ACL always direct stops it from forwarding to parent
acl novirus src "/etc/squid/acl/novirus"
http_access allow novirus
always_direct allow novirus

# nofilter ACL uses redirector access to stop requests going to the
redirector (squidguard)
acl nofilter src "/etc/squid/acl/nofilter"
http_access allow nofilter
redirector_access deny nofilter

http_access allow localhost
http_access deny all

This is fine for static IP's and does exactly what I want, i.e. put an IP in
/etc/squid/acl/everything and it gets filtered and forwarded to the parent,
put an address in /etc/squid/acl/nothing and it goes direct and bypasses the
redirector/squidguard.

I wanted to allow roaming users to use my squid so ive tried adding
authentication using the below. Aim was if I knew there IP it would be in
one of the acl files so no username/password prompt, if there IP was not in
the acl files it would pop up a username password - again I wanted control
based on username whether they should go via the parent/redirector or not

# testing authentication
acl nothing_auth proxy_auth "/etc/squid/acl/nothing_auth"
http_access allow nothing_auth
always_direct allow nothing_auth
redirector_access deny nothing_auth

acl everything_auth proxy_auth "/etc/squid/acl/everything_auth"
http_access allow everything_auth
never_direct allow everything_auth
redirector_access allow everything_auth
Which seemed to work but I noticed an IP I had in
"/etc/squid/acl/everything" which was going via the parent and redirector
started going direct? If I comment out all my proxy_auth lines and restart
squid all works again. Can you mix proxy_auth and IP based ACL's like this?
Other relevant bits of my squid.conf below

url_rewrite_program     /usr/bin/squidguard
url_rewrite_children 10

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid.users
auth_param basic children 5
auth_param basic realm web filter
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off



To answer your question: There should be no problem mixing several types of ACL. It's just a matter of sequence.

However since I can't tell from your examples the exact order of ACL and *_access permissions in your squid.conf I can't offer any help as to what the problem is.


Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux