Luca Dell'Oca wrote:
On 5/13/08 4:00 PM, "Amos Jeffries" <squid3@xxxxxxxxxxxxx> wrote:
acl Java browser Java/1.4 Java/1.5
http_access allow Java
Ah, bingo. great big security hole.
Anyone claiming to be Java now gets unlimited web browsing. And I do
mean ANYONE, anywhere on the net.
I've said I am a newbie :-) So, how should I write this one? I found the
example on the internet and tought it would be right.
:-) so many pages on the net need re-writing.
Add an acl listing the internal network IP ranges that are supposed to
be okay sources.
http_access allow Java localnet
That will cut down the hole to only internal abusers. Still not even
rating 'great'. But a lot better than open.
Even better would be to drop it down the list as far as it can go. So as
many of the denials as possible can do their magic.
http_access allow localhost
http_access deny blockcache AuthUser
http_access allow allowedurls AuthUser
acl lunchbreak time D 13:00-14:00
acl lunchbreaksites dstdomain "/etc/squid/lunchbreaksites"
http_access allow lunchbreak lunchbreaksites
So far it looks okay. Those are all everyone-or-nobody right?
Exactly, we have caching sites like google and yahoo in "blockcache" file
and sites everyone can see in "allowedurls". Same for "lunchbreaksites",
everyone during this period can see those sites.
# User by user ACL:
acl administrator proxy_auth REQUIRED
acl assistenza proxy_auth REQUIRED
Here is where the problems start.
'REQUIRED' means only that the person MUST login. Squid does not care
what the username/password is, just that it authenticates.
To get specific user having access to a specific site you need to list
the username in the acl. Like so:
acl administrator proxy_auth admin Administrator
acl assistent proxy_auth john
For small sites or sort lists its usable.
For larger sites or ones where you want a better control than manually
typing each out. external_acl_type is you friend.
An external ACL script can take the %LOGIN and %DST etc and lookup a
database of who and where they are allowed. The result can be used in
one place to allow/deny.
http://www.squid-cache.org/Versions/v2/2.6/cfgman/external_acl_type.html
external_acl_type blah .....
acl foo external blah
http_access allow foo
http_access deny all
Thanks so much for the hint, I will try on Monday when I'll be back to
office. Right now I think we will use the internal list in squid.conf, since
we have not so many users, but I'll try also the sexternal_acl, so I can
learn something for the future!!!
I will let you know about the tests.
Luca.
Amos
--
Please use Squid 2.6.STABLE20 or 3.0.STABLE5
