On Mon, 2007-03-26 at 13:59 +0530, Indunil Jayasooriya wrote:
Hi ,
I am now running squid with ncsa_auth.
I have bound ip addresses to usernames. So users now can access Internet from their ips.
Now I want a few users to prevent from accessing all the sites. But Instead, I want them to allow to access a few sites scuh as google.com,cnn.com ,bbc.com. I want to limit in that way.
I have wriiten below rules. But those users still can access all the sites.
external_acl_type ip_user %SRC %LOGIN % DST /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
acl ncsa_users proxy_auth REQUIRED acl ip_users external ip_user %SRC %LOGIN %DST
http_access deny !ncsa_users http_access deny !ip_users http_access allow ip_users http_access allow ncsa_users
my ip.conf file is like this. [root@worldnet squid]# cat /etc/squid/ip.conf 192.168.101.25 indunil .google.com .bbc.com .cnn.com 192.168.101.90 www90
Accoring to the above file, User indunil with ip address 192.168.101.25 has access to google.com,bbc.com and cnn.com. But the user indunil still has access to all the sites.
How can I solve this?
I think you probably need to combine a few rules together. Consider the following
acl ncsa_users proxy_auth REQUIRED acl ip_users external ip_user %SRC %LOGIN %DST acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com
http_access deny !ncsa_users http_access deny !ip_users http_access allow ip_users ALLOWED_DOMAINS http_access allow ncsa_users ALLOWED_DOMAINS http_access deny all
Basically, a new ACL was added and the corresponding http_access test, it will only
(a) be allowed IF it fulfilled the test of being an ip_users and going to a domain as defined in the ALLOWED_DOMAINS acl
~ or ~
(b) be allowed IF it fulfilled the test of being an ncsa_users and going to a domain as defined in the ALLOWED_DOMAINS acl
Hope this helps.