Search squid archive

Re: "Complex" acl process - Many Ips, many different places, many logins, and many websites ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Julien P. wrote:

Hi everyone,
I'm having some troubles to understand how the acl process is working.

I'm trying to link a mySQL database to my squid in order to allow me
to setup some specific access rights according to some specific users
from different places to different websites.

What I did is an acl that will check the domain and the source_ip
external_acl_type ExternalisBad ttl=20 %SRC %DST /etc/squid3/external_bad
acl isBad external ExternalisBad

And I also created my own auth_param block

auth_param basic program /etc/squid3/sql_auth
auth_param basic children 20
auth_param basic realm Username and password
auth_param basic credentialsttl 1 minute



You forgot to mention this bit of the config:
  acl sql_auth proxy_auth REQUIRED


Now, when someone's trying to to access a website, this is what I do
http_access allow sql_auth isBad

It is working, but the thing is: it doesn't care about if the username
is linked to the %SRC Ip or not... So basically, if you have are
registered with full access rights in another place, you will be able
to access to all the content even if you're access is supposed to be
denied. Does that make sense ?
Yes it make sense. The ACL rules do not (yet) state the full conditions though.
The above rule states only if the user can login and also if IP + destination domain are paired. No specific three-way link. 



I added the %IDENT to the externcal_acl_type rule. Since the sql_auth
process is called before I was thinking that maybe the %IDENT would be
stored somewhere somehow and be accessible in the isBad acl right
away...

external_acl_type ExternalisBad ttl=20 %SRC %IDENT %DST /etc/squid3/external_bad

Apparently this is not working.


Yes not working. %IDENT is the result of the IDENT protocol lookup.
You are wanting %LOGIN, which is the result of the proxy authentication (aka login). 



Does any one have any idea on how to do what I want to do ?
You have the approach right. Just not the right tag. Make the above change and it should work just fine. 



If you want me to be more specific, let me know!

Thank you so much Guys,
Julien

PS:
debian:/squid3 -v
Squid Cache: Version 3.0.STABLE8
Um, please use STABLE13+ as soon as possible. Major security risks in earlier releases. 


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
  Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux