Hi Roy and calin.kalinix.cosma,
Thanks for your help all the given to me. Finally, I got it done.
Binding an ip address to an username with SQUID and limiting access of some users with their ips to a few sites
rules added to squid.conf file
external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
acl ncsa_users proxy_auth REQUIRED acl ip_users external ip_user %SRC %LOGIN
acl clientips src 192.168.101.28 192.168.101.29 192.168.101.30 acl allowedsites url_regex -i "/etc/squid/allowedsites.txt"
http_access deny !ncsa_users http_access deny !ip_users http_access deny clientips !allowedsites http_access allow ip_users clientips http_access allow ip_users allowedsites http_access allow ncsa_users clientips http_access allow ncsa_users allowedsites http_access deny clientips
Then, created /etc/squid/ip.conf and add the pair (ip and username)
[root@worldnet squid]# cat /etc/squid/ip.conf 192.168.101.25 indunil 192.168.101.26 asanka 192.168.101.28 www28 192.168.101.29 www29 192.168.101.30 www30 192.168.101.90 www90
Then, by using htpasswd, I created /etc/squid/squid_passwd file.
[root@worldnet squid]# cat /etc/squid/squid_passwd indunil:TeiAQ3uqXDQNg www:Oi4THedCcN0nQ web:EEluAdNUco6.g www90:3CNziF2SkgmAo www28:eXuWlloKq1mk2 www29:6UH7KXjAZ769o www30:RtjV9ZZHEzzaA asanka:gX88uJrvXSV7A
Then, created /etc/squid/allowedsites.txt file. [root@worldnet squid]# cat /etc/squid/allowedsites.txt .freebsd.org ebay cnn.com bbc google
Then, Finally,
[root@worldnet squid]# /etc/init.d/squid restart
THNAKS INDUNIL
On 3/27/07, Roy Ong centos-list@royong.com wrote:
On Tue, 2007-03-27 at 12:58 +0530, Indunil Jayasooriya wrote:
Hi,
I think you probably need to combine a few rules together. Consider the following
acl ncsa_users proxy_auth REQUIRED acl ip_users external ip_user %SRC %LOGIN %DST
acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com
http_access deny !ncsa_users http_access deny !ip_users http_access allow ip_users ALLOWED_DOMAINS http_access allow ncsa_users ALLOWED_DOMAINS http_access deny all
These rules say that ALL the ips have access to google.com bbc.com cnn.com.
That is not What I want.
oh ok - probably i didn't understand your requirements clearly enuff - i see that you have provide some details below and i'll attempt there.
This is my senario.
There are about 50 users browsing internet. 3 users out of those 50 misuse internet. So I only want to limit these 3 users. Let's say their ips are 192.168.101.25, 192.168.101.26, 192.168.101.30
Now I want to limit these 3 users' internet acsess to google.com bbc.com cnn.com. AND, the rest of users should have access to whole wolrd.
I wrote below rules. Pls check !!
external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
acl ncsa_users proxy_auth REQUIRED acl ip_users external ip_user %SRC %LOGIN
acl clientips src 192.168.101.25 92.168.101.26 192.168.101.30 acl allowedsites url_regex -i "/etc/squid/allowedsites.txt"
http_access deny !ncsa_users http_access deny !ip_users http_access allow ip_users clientips http_access allow ip_users allowedsites http_access allow ncsa_users clientips http_access allow ncsa_users allowedsites http_access deny clientips
i would probably change to
http_access deny !ncsa_users http_access deny !ip_users http_access deny clientips !allowedsites <---added this http_access allow ip_users clientips http_access allow ip_users allowedsites http_access allow ncsa_users clientips http_access allow ncsa_users allowedsites http_access deny clientips
the added statement will DENY access if they belong to "clientips" i.e. 192.168.101.25 or 192.168.101.26 or 192.168.101.30 AND they are trying to go to a url that is NOT defined in /etc/squid/allowedsites.txt
remembering that http_access statements are carried out in sequence, the following will probably be true for the above
- DENY if NOT ncsa_users
- DENY if NOT ip_users
- DENY if clientips AND NOT allowedsites
- ALLOW if ip_users AND clientips
- ALLOW if ip_users AND allowedsites
- ALLOW if ncsa_users AND clientips
- ALLOW if ncsa_users AND allowedsites
- DENY if clientips
my etc/squid/allowedsites.txt is like this. [root@worldnet ~]# cat /etc/squid/allowedsites.txt google.com bbc.com cnn.com
But, It still does not work.
Pls help me to solve this issue.
Basically, a new ACL was added and the corresponding http_access test, it will only
(a) be allowed IF it fulfilled the test of being an ip_users and going to a domain as defined in the ALLOWED_DOMAINS acl
~ or ~
(b) be allowed IF it fulfilled the test of being an ncsa_users and going to a domain as defined in the ALLOWED_DOMAINS acl
Hope this helps.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos