[CentOS] How to limit a user to access a few sites.

Roy Ong centos-list at royong.com
Mon Mar 26 13:16:18 UTC 2007


On Mon, 2007-03-26 at 13:59 +0530, Indunil Jayasooriya wrote:
> Hi , 
> 
> I am now running squid with ncsa_auth.
> 
> I have bound ip addresses to usernames. So users now can access
> Internet from their ips. 
> 
> Now I want a few users to prevent from accessing all the sites. But
> Instead, I want them to allow to access a few sites scuh as
> google.com,cnn.com ,bbc.com. I want to limit in that way. 
> 
> I have wriiten below rules. But those users still can access all the
> sites. 
> 
> external_acl_type ip_user %SRC %LOGIN %
> DST /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
> 
> acl ncsa_users proxy_auth REQUIRED
> acl ip_users external ip_user %SRC %LOGIN %DST
> 
> http_access deny !ncsa_users 
> http_access deny !ip_users
> http_access allow ip_users
> http_access allow ncsa_users
> 
> my ip.conf file is like this. 
> [root at worldnet squid]# cat /etc/squid/ip.conf
> 192.168.101.25  indunil .google.com .bbc.com .cnn.com
> 192.168.101.90  www90
> 
> Accoring to the above file, User indunil with ip address
> 192.168.101.25 has access to google.com,bbc.com and cnn.com. 
> But the user indunil still has access to all the sites. 
> 
> How can I solve this? 

I think you probably need to combine a few rules together.
Consider the following

acl ncsa_users proxy_auth REQUIRED
acl ip_users external ip_user %SRC %LOGIN %DST
acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com

http_access deny !ncsa_users 
http_access deny !ip_users
http_access allow ip_users ALLOWED_DOMAINS
http_access allow ncsa_users ALLOWED_DOMAINS
http_access deny all

Basically, a new ACL was added and the corresponding http_access test,
it will only 

(a) be allowed IF it fulfilled the test of being an ip_users and going
to a domain as defined in the ALLOWED_DOMAINS acl

~ or ~

(b) be allowed IF it fulfilled the test of being an ncsa_users and going
to a domain as defined in the ALLOWED_DOMAINS acl

Hope this helps.





More information about the CentOS mailing list