Thanks a lot Amos.... its working fine now... Alhamdulillahhh
-
--
---
Always try to find truth!!!
------------***---------------***--------------***------------
Its always nice to know that people with no understanding of technologies want to evaluate technical professionals based on their own lack of knowledge
------------***---------------***--------------***------------
--- On Wed, 3/25/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
> Subject: Re: Limitting particular group to specific sites (not working perfectly)
> To: "Truth Seeker" <truth_seeker_3535@xxxxxxxxx>
> Cc: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
> Date: Wednesday, March 25, 2009, 11:03 PM
> >
> >
> > -
> > --
> > ---
> > Always try to find truth!!!
> >
> >
> ------------***---------------***--------------***------------
> >
> > Its always nice to know that people with no
> understanding of technologies
> > want to evaluate technical professionals based on
> their own lack of
> > knowledge
> >
> >
> ------------***---------------***--------------***------------
> >
> >
> > --- On Wed, 3/25/09, Amos Jeffries <squid3@xxxxxxxxxxxxx>
> wrote:
> >
> >> From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
> >> Subject: Re: Limitting particular
> group to specific sites
> >> (not working perfectly)
> >> To: "Truth Seeker" <truth_seeker_3535@xxxxxxxxx>
> >> Cc: "Squid maillist" <squid-users@xxxxxxxxxxxxxxx>
> >> Date: Wednesday, March 25, 2009, 11:16 AM
> >> Truth Seeker wrote:
> >> >
> >> > In my squid.conf, i am trying to grant access
> ONLY to
> >> a set of predefined sites for a group of users
> (those who
> >> are member of limitedsurfers). They are not
> allowed to
> >> access any other thing from the Internet. The
> following is
> >> the acl which i created
> >> > All my other rules are working
> perfectly...
> >> >
> >> > Squid Version: 2.6 Stable
> >>
> >> Sigh. Thanks a lot for trying, but ... there are
> 21
> >> different official "2.6 stable" and quite a lot
> of
> >> semi-official patched "2.6 stable". All of them
> obsolete.
> >>
> >> Which one do you mean?
> >
> > squid-2.6.STABLE6-5
> >
> >>
> >> > OS: CentOS 5.2
> >> >
> >> > First from authentication rule;
> >> > auth_param basic program
> /usr/lib/squid/pam_auth
> >> > external_acl_type unix_group %LOGIN
> >> /usr/lib/squid/squid_unix_group
> >> > acl limited_surfers_acl external unix_group
> >> limitedsurfers
> >> >
> >> >
> >> > Then the particular acl;
> >> > acl limited_sites dstdomain
> >> "/etc/squid/include-files/limited_site.squid"
> >>
> >> > http_access allow limited_surfers_acl
> limited_sites
> >>
> >> requires password THEN checks where user is
> going....
> >
> > Every user should authenticate with a valid user/pass,
> then based on their
> > group membership, they will have separate previleges
> or wrights. Example,
> > limitedsurfers is only allowed to browser pre-defined
> sites, vipbrowser
> > can go to all sites, surfers can go to all sites, but
> limitation in their
> > downloading to 2MB per object, and time based
> restriction for news sites,
> > sports sites, etc.
> >
> >
> >>
> >> > http_access deny limited_surfers_acl
> >>
> >> requires password and denies on success. !?!
> >
> > As i mentioned, even after the success password, as he
> is a member of
> > limitedsurfers, he is only allowed to browse the
> dstdomain mentioned in
> > the /etc/squid/include-files/limited_sites.squid file
> >
> > So any other access should be BLOCKED and must issue
> the
> > ERR_LIMITED_SURFERS pag, which i was trying to do with
> the following;
> >
> > http_access deny limited_surfers_acl
> > deny_info ERR_LIMITED_SURFERS limited_surfers_acl
> >
>
> Ah, but since limited_surfers_acl is a login ACL. It sends
> back
> 'unauthorized please login again' headers to cause the
> browser to create a
> login popup....
>
>
> What I think you want is a sequence like this:
>
> acl limited_surfers_acl external unix_group limitedsurfers
> acl limited_sites dstdomain
> "/etc/squid/include-files/limited_site.squid"
>
>
> ## If the auth popup disappears completely.
> ## then uncomment this following bit:
> ## cause people to always login...
> # acl login proxy_auth REQUIRED
> # http_access deny !login
>
>
> # deny with a custom message if they are going wrong...
> deny_info ERR_LIMITED_SURFERS limited_sites
> http_access deny limited_surfers_acl !limited_sites
>
> # allow access to limited_sites if they are okay...
> http_access allow limited_sites limited_surfers_acl
>
> # followup security blankets ...
> http_access deny all
>
> Amos
>
> >
> >>
> >> do you have a '!' on the IP address line you says
> works
> >> perfectly?
> >
> > The following is the rule which i injected for the IP
> based;
> >
> > ### Violators IP
> > acl violators_ip src
> "/etc/squid/include-files/violators_ip.squid"
> >
> >
> > ### Only Allowing Certain Sites for VIOLATORS
> > acl violators_sites dstdomain
> > "/etc/squid/include-files/violators_site.squid"
> > http_access allow violators_ip violators_sites
> > http_access deny violators_ip
> > deny_info ERR_VIOLATORS_IP violators_ip
> >
> >
> > So, my idea is, according to the squid log's which i
> am processing through
> > webalizer, the users who is trying too much to violate
> our policy, like
> > using proxy sites, we will put their IP in the
> violators_ip.squid file
> > which will end up in a tighter surfing rules with the
> above mentioned
> > rule.
> >
> > This is working as i wish... but the user based for
> limited surfers is not
> > working without Giving the username and password for
> three times.. for the
> > Success request it is working with just 1 time
> username and password.
> >
> >
> > According to my understanding what i put for limited
> browsers is correct.
> > But why it is not working correctly? i dont understand
> about it???
> >
> >>
> >>
> >> > deny_info ERR_LIMITED_SURFERS
> limited_surfers_acl
> >> >
> >> >
> >> > Now the situation is;
> >> > It is perfectly granting access to the sited
> listed in
> >> the limited_site.squid file
> >> >
> >> > But when i try to access some other site, it
> will ask
> >> the username/password for 3 times (even when we
> give the
> >> correct username/pass) then only it is denying the
> request.
> >> >
> >> > Why it is happening so?
> >> >
> >> > I have almost the same kind of rule like this
> for a
> >> particular list of IP's instead of users. That is
> working
> >> perfect for allowing and denying.
> >> >
> >> > Can anybody help me in this case...
> >> >
> >> > Thanks in Advance...
> >> >
> >>
> >> Amos
> >> -- Please be using
> >> Current Stable Squid 2.7.STABLE6
> or 3.0.STABLE13
> >> Current Beta Squid 3.1.0.6
> >
> >
> > Things are running on Live environment. Will it be a
> issue while switching
> > from 2.6 to 2.7 ???
> >
> >
> >
> >>
> >
> >
> >
> >
> >
>
>
>
