On 04.03.25 21:42, Piana, Josh wrote:
I apologize to show one issue, but now reference another. We decided to
not use the "block_user" list as it’s a bit dated. A similar issue is
happening now with our "mmedia_users" list. It just doesn't seem to work
the way its intended.
Users on this list are supposed to be allowed special access to sites we
typically block. Such as Youtube, Reddit, Facebook, etc. Well as of
right now, any changes made to the list don't seem to impact the user
having access to those sites or not.
Here's how we have it written:
# these override the general blacklists by explicitly allowing things
# exempts users from content blocking in this list
acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
# allow exempted users to the sites in this list
acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
# allow mmedia user to access a mmedia site, via appropriate protocols
http_access allow mmedia_sites mmedia_users
So if the user is on the "mmedia_users" list, they can access sites that are a part of the "mmedia_sites" list.
And, what is the problem?
I see one possible - you aren't blocking anyone here.
In that case you need to append something like:
http_access deny mmedia_sites
or perhaps:
http_access deny mmedia_sites !mmedia_users
deny_info http://<explanation> mmedia_users
On 1/03/25 03:54, Piana, Josh wrote:
I am attempting to setup an ACL block list based on usernames from a
windows AD environment.
When I have this added to my squid.conf file, all outbound connections
stop working:
acl block_user proxy_auth_regex -i "/etc/squid/block_user"
http_access deny block_user
I have also tried “!block_user”.
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries
Was that "NOT MATCHING block_user" condition used with allow or deny action?
What prior or followup http_access lines are processed when that ACL check results in "need login" due to lack of username value?
As you can see, I have it set so if a Windows username is on the
“block_user” list, Squid will deny internet access to that user.
Unfortunately, this doesn’t work in practice. I have a working
Kerberos back-end setup, handling authentication. What am I doing
wrong with this setup?
1) The block_user ACL you have defined is a Regular Expression test against
the username, not a check of the exact username. So you need to be very
careful of the specific regex patterns you are using.
(If you want me to check validity, you can post to be directly here, do not
post actual value to this public list).
2) The block_user ACL implicitly requires authentication to have been
performed before it can perform its check. Check your auth_param
settings, and prior proxy_auth type ACL that perform the login.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
