Hey Amos, I apologize to show one issue, but now reference another. We decided to not use the "block_user" list as it’s a bit dated. A similar issue is happening now with our "mmedia_users" list. It just doesn't seem to work the way its intended. Users on this list are supposed to be allowed special access to sites we typically block. Such as Youtube, Reddit, Facebook, etc. Well as of right now, any changes made to the list don't seem to impact the user having access to those sites or not. Here's how we have it written: # these override the general blacklists by explicitly allowing things # exempts users from content blocking in this list acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users" # allow exempted users to the sites in this list acl mmedia_sites dstdomain "/etc/squid/mmedia_sites" # allow mmedia user to access a mmedia site, via appropriate protocols http_access allow mmedia_sites mmedia_users So if the user is on the "mmedia_users" list, they can access sites that are a part of the "mmedia_sites" list. -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries Sent: Saturday, March 1, 2025 3:31 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: ACL block_user List Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 1/03/25 03:54, Piana, Josh wrote: > Hello, > > I am attempting to setup an ACL block list based on usernames from a > windows AD environment. > > When I have this added to my squid.conf file, all outbound connections > stop working: > > acl block_user proxy_auth_regex -i "/etc/squid/block_user" > > http_access deny block_user > > I have also tried “!block_user”. Was that "NOT MATCHING block_user" condition used with allow or deny action? What prior or followup http_access lines are processed when that ACL check results in "need login" due to lack of username value? > > As you can see, I have it set so if a Windows username is on the > “block_user” list, Squid will deny internet access to that user. > Unfortunately, this doesn’t work in practice. I have a working > Kerberos back-end setup, handling authentication. What am I doing > wrong with this setup? > 1) The block_user ACL you have defined is a Regular Expression test against the username, not a check of the exact username. So you need to be very careful of the specific regex patterns you are using. (If you want me to check validity, you can post to be directly here, do not post actual value to this public list). 2) The block_user ACL implicitly requires authentication to have been performed before it can perform its check. Check your auth_param settings, and prior proxy_auth type ACL that perform the login. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
