Re: ACLs Implementation help

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

yay! :)

On 11/11/10 23:39, Edmonds Namasenda wrote:
> Much appreciated for the previous help.
> Some more clarification on the in-line requests below.
> On Wed, Nov 10, 2010 at 2:38 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx>  wrote:
> > On 09/11/10 20:25, Edmonds Namasenda wrote:
> > > Dear all.
> > > Using openSuse 11.2 and Squid 3.0 Stable 18
> > >
> > > Besides commenting out anything to do with 'localnet', below is all that
> > > I added or edited on squid.conf
> > >
> > > # Authentication Program
> > > auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
> > >
> > > # Start ACLs (bottom of ACL section defaults)
> > > acl passt proxy_auth REQUIRED        # Authentication file to be used
> > > "passt"
> > > acl net_ed src 10.100.10.0/24<http://10.100.10.0/24>  192.168.7.0/24
> > > <http://192.168.7.0/24>  10.208.6.0/24<http://10.208.6.0/24>          # My
> > > networks
> > > acl dove src 10.100.10.248-10.100.10.255        # Unrestricted Internet
> > > access I.P range
> > > acl whrs1 time MTWHF 9:00-12:59        # Morning work shift
> > > acl whrs2 time MTWHF 13:00-16:59        # Afternoon work shift
>
> meant to be ...
> acl whrs2 time MTWHF 14:00-16:59
>
> > > acl nowww dstdomain "/etc/squid/noWWW"        # Inaccessible URLs file path
> > > acl nodwnld urlpath_regex "/etc/squid/noDWNLD"        # Unavailable
> > > downloads file path
> > >
> > > # End ACLs
> > >
> > > # Start http_access Edits (top of http_access section defaults)
> > > http_access allow dove        # Internet access without authentication,
> > > denied URLs or download restrictions
> > > http_access deny nowww whrs1 whrs2        # Deny URLs during work shifts
> >
> > Um, this means that when the clock says simultaneously that it is both morning AND afternoon...
> >
> > ... to deny with an OR combine the time periods into one ACL name or split the http_access into two lines.
>
> http_access deny nowww whrs1
> http_access deny nodwnld whrs1
> http_access deny nowww whrs2
> http_access deny nodwnld whrs2
> ... works great so far as tested.
>
> > Amos
>
> How do I enforce password authentication ONLY ONCE for users to

What do you mean by "ONLY ONCE"? A user can be authenticated or not, 
there is no multiple about it.

> internet access using file "passt"?
> http_access allow passt net_ed  ?!

With the above Squid will pull the auth details sent by the browser out 
of the request. If there are none it will skip the access line.

You place the ACL of type proxy_auth (in this case "past") last on the 
line to make Squid request credentials from the browser.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3