-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 17/01/2015 7:15 a.m., Samuel Anderson wrote: > Hello All, > > I'm attempting to create way to grant users access to different > categories using active directory. Currently what I have works but > if a website is not listed in any of the whitelists it will allow > traffic to that website. If I add a (http_access deny all) at the > end, then nothing works. What I would like is for a user to only > have access to whitlists that they are a member of. I'll have > around 50 categories in the end. This is just a small sample. > > Thanks, > You have omitted it but if I assume you are using the usual external_acl_type definitin with %LOGIN, then it actually returns 3 states; a match, non-match and missing-auth result. The !group construction matches true for both of the later two non-match and missing-auth results. So your config below will deny any users access when they are still un-authenticated in a way that prevents authentication. > > acl NEWS external ldap_group NEWS acl SHOPPING external ldap_group > SHOPPING acl SOCIALNETWORKING external ldap_group SOCIALNETWORKING > acl RELIGION external ldap_group RELIGION acl SPORTNEWS external > ldap_group SPORTNEWS > > acl rule1 url_regex -i "/etc/squid3/whitelists/news/domains" acl > rule2 url_regex -i "/etc/squid3/whitelists/shopping/domains" acl > rule3 url_regex -i > "/etc/squid3/whitelists/socialnetworking/domains" acl rule4 > url_regex -i "/etc/squid3/whitelists/religion/domains" acl rule5 > url_regex -i "/etc/squid3/whitelists/sportnews/domains" > If those are truely just domains use the dstdomain ACL type instead of the dangerous and relatively slow url_regex. You need to ensure valid auth credentials exist before doing anything with !group. acl authed proxy_auth REQUIRED http_access deny !authed > > http_access deny rule1 !NEWS all http_access deny rule2 !SHOPPING > all http_access deny rule3 !SOCIALNETWORKING all http_access deny > rule4 !RELIGION all http_access deny rule5 !SPORTNEWS all and restrict the allow to some condition where you know exactly what traffic is actually allowed. localnet is the usual ACL to permit defined LAN clients. > http_access allow all > Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUubTRAAoJELJo5wb/XPRj4XQIAL7Ni3HDRjp8RyHoOoilRmRE XGYHLSBIXCBvdi/J/snbff6XexDYrKDsX2Gy9dwXPGagwyZ52EU3f8OKi32HMZA5 1l7oKBLymulP1zJI8nljPVjZweoNjvHb6JFDTj6pxawZ/Ab9dbFCyZDIImfFqis8 wyxQWT4EzWwQNxV+G0tpTtH3QSrRNk8Q9WmDJ8+lEd9kulLJQWr1NIc1pf6b3Hh2 M5gR9SvmNDfy+RuoRZ/SfVSSdoXpEHWijvm2p3VbgoGjfdwKSmXLflm0aVT5nTPc TCLp+ZGYEmx0hKdybFR5m5Ql+5MPrjANejpEuVmclXPT8MH6OsKQfvu8bVAGDxE= =rqy3 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
