On 10/08/20 8:43 pm, Roberto Nunnari wrote: > Hello. > > > > I need to build a new linux server with squid to replace an old one. > > The old server is running squid version 3.3.8 and authenticates against > Active Directory. In the conf I see ldap, ntlm, kerberos and negotiator > + wbinfo. > > > > The new server is running squid version 4.4.8. I’m trying to keep it > simple and keep the conf file clean. > > That’s why for authentication and authorization I try to use only > basic_ldap_auth and ext_ldap_group_acl. > > > > I would like to understand the basics of squid.conf but I find the > online documentation is missing the basics.. for instance I believe the > acl directive uses logical ‘and’ when using multiple values on the same > line, and uses logical ‘or’ when using multiple lines for the same acl > name.. > Which part of the online documentation are you looking at? On the official website (<http://www.squid-cache.org/>) menu under "Documentation" we have several sources: * Reference guide - for detailed description of a specific directive if you are needing reminder of usage or specific details of its operation. * Examples - how-to config snippets for common installation needs. * Books for learning Squid; beginners guide, and expert reference. * FAQ and Wiki for more up to date alternative to the books. > > That is something it should be written clear in the documentation. Maybe > it is somewhere, but I could not find that information. > <https://wiki.squid-cache.org/SquidFaq/SquidAcl#And.2FOr_logic> > > Same for http_access.. how does it works? What happens when the first > match is found? It applies the rule and exits or it goes on to the next > lines? > <https://wiki.squid-cache.org/SquidFaq/SquidAcl#Access_Lists> > > What I need to implement is more or less this : > > > 5) Some websites are forbidden for everybody acl blacklist dstdomain ... http_access deny blacklist > > 1) Every user needs to provide valid username and password (from AD). > auth_param ... acl login proxy_auth REQUIRED http_access deny !login > 4) Some websites are accessible without being in group 2) or in file 3) > acl whitelist dstdomain ... http_access allow whitelist > 2) Users who belongs to a given AD group, can go on and access the > internet > external_acl_type groups ... acl groupCheck external groupName http_access allow groupCheck > > 6) Some websites are allowed only for users in group 2) acl forbidOthers dstdomain ... > 3) Other users need to be inside a file. If they are found in that > file, they can access the internet > acl otherUsers proxy_auth parameters("/etc/squid/usernames_allowed") http_access allow !forbidOthers otherUsers http_accss deny all Note the order of policy enforcement. Deny as much as possible first, allow later. Faster ACL types first whenever possible. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
