[CentOS] How to limit a user to access a few sites.
Roy Ong
centos-list at royong.com
Mon Mar 26 13:16:18 UTC 2007
On Mon, 2007-03-26 at 13:59 +0530, Indunil Jayasooriya wrote:
> Hi ,
>
> I am now running squid with ncsa_auth.
>
> I have bound ip addresses to usernames. So users now can access
> Internet from their ips.
>
> Now I want a few users to prevent from accessing all the sites. But
> Instead, I want them to allow to access a few sites scuh as
> google.com,cnn.com ,bbc.com. I want to limit in that way.
>
> I have wriiten below rules. But those users still can access all the
> sites.
>
> external_acl_type ip_user %SRC %LOGIN %
> DST /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
>
> acl ncsa_users proxy_auth REQUIRED
> acl ip_users external ip_user %SRC %LOGIN %DST
>
> http_access deny !ncsa_users
> http_access deny !ip_users
> http_access allow ip_users
> http_access allow ncsa_users
>
> my ip.conf file is like this.
> [root at worldnet squid]# cat /etc/squid/ip.conf
> 192.168.101.25 indunil .google.com .bbc.com .cnn.com
> 192.168.101.90 www90
>
> Accoring to the above file, User indunil with ip address
> 192.168.101.25 has access to google.com,bbc.com and cnn.com.
> But the user indunil still has access to all the sites.
>
> How can I solve this?
I think you probably need to combine a few rules together.
Consider the following
acl ncsa_users proxy_auth REQUIRED
acl ip_users external ip_user %SRC %LOGIN %DST
acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com
http_access deny !ncsa_users
http_access deny !ip_users
http_access allow ip_users ALLOWED_DOMAINS
http_access allow ncsa_users ALLOWED_DOMAINS
http_access deny all
Basically, a new ACL was added and the corresponding http_access test,
it will only
(a) be allowed IF it fulfilled the test of being an ip_users and going
to a domain as defined in the ALLOWED_DOMAINS acl
~ or ~
(b) be allowed IF it fulfilled the test of being an ncsa_users and going
to a domain as defined in the ALLOWED_DOMAINS acl
Hope this helps.
More information about the CentOS
mailing list