On 6/03/2016 2:18 p.m., Verónica Ovando wrote: > Hi, community. > > I need to understand why this rules are not working. Unfortunately that is far from simple. > > My squid is working with AD authentication. > > I need to allow the group *AD_informatico* to visit facebook only during > *maniana_ocio* and *tarde_ocio* and have full access to the web. They > are not working. *AD_informatico* can visit facebook without problems. I > tryed something like this: *http_access deny !maniana_ocio facebook > AD_informatico*, it denies the access but the browser shows a pop-up to > login when someone visits facebook or other site that tries to connect > to facebook. So, what happens? http_access deny ... AD_informatico Is a line which requires authentication. If that authentication is missing OR if the group does not match. The denial will request new credentials (ie ones which might pass this rule). > > Here is my squid.conf (a part of it): > > #################################################### > #*******************HELPERS para Active > Directory**************************# > #################################################### > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --DOMAIN=DOMAIN > auth_param ntlm children 30 > auth_param ntlm keep_alive off > > auth_param basic program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Servidor proxy-cache de la DPR > auth_param basic credentialsttl 2 hours > > #---------------------------ACL Active Directory------------------------# > external_acl_type Grupos_AD ttl=10 children=10 %LOGIN > /usr/lib/squid3/ext_wbinfo_group_acl -d > acl AD_informatico external Grupos_AD informatico > > #--------------------Horarios de acceso --------------------------------# > acl maniana_ocio time MTWHF 07:00-07:59 > acl tarde_ocio time MTWHF 13:00-13:59 > > #-----------------------Listado de paginas------------------------------# > acl facebook_m url_regex -i "/etc/squid3/ACLs/pagFacebook" > acl facebook_t url_regex -i "/etc/squid3/ACLs/pagFacebook" > > #################################################### > #*****************************Reglas***************************************# > > #################################################### > > acl auth proxy_auth REQUIRED > http_access deny !auth > http_access deny after_hours all > > #-----------------------------Grupo > *informatico*----------------------------# > http_access allow maniana_ocio facebook_m AD_informatico > http_access allow tarde_ocio facebook_t AD_informatico > http_access allow AD_informatico > > http_access deny all > > One more question: when a I move a user from a group to another in > Active Directory, how much time does squid need to know about that change? With: external_acl_type Grupos_AD ... ttl=10 ... 10 seconds. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
