[CentOS] How to limit a user to access a few sites. (SOLVED)

Wed Mar 28 06:08:20 UTC 2007
Indunil Jayasooriya <indunil75 at gmail.com>

Hi Roy and calin.kalinix.cosma,


Thanks for your help all the given to me. Finally, I got it done.

Binding an ip address to an username with SQUID and limiting access
of some users with their ips  to a few sites

rules added to squid.conf file

external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f
/etc/squid/ip.conf

acl ncsa_users proxy_auth REQUIRED
acl ip_users external ip_user %SRC %LOGIN

acl clientips src 192.168.101.28 192.168.101.29 192.168.101.30
acl allowedsites url_regex -i "/etc/squid/allowedsites.txt"

http_access deny !ncsa_users
http_access deny !ip_users
http_access deny clientips !allowedsites
http_access allow ip_users clientips
http_access allow ip_users allowedsites
http_access allow ncsa_users clientips
http_access allow ncsa_users allowedsites
http_access deny clientips

Then, created /etc/squid/ip.conf and add the pair (ip and username)

[root at worldnet squid]# cat /etc/squid/ip.conf
192.168.101.25  indunil
192.168.101.26  asanka
192.168.101.28   www28
192.168.101.29  www29
192.168.101.30  www30
192.168.101.90  www90

Then, by using htpasswd, I created /etc/squid/squid_passwd file.

[root at worldnet squid]# cat /etc/squid/squid_passwd
indunil:TeiAQ3uqXDQNg
www:Oi4THedCcN0nQ
web:EEluAdNUco6.g
www90:3CNziF2SkgmAo
www28:eXuWlloKq1mk2
www29:6UH7KXjAZ769o
www30:RtjV9ZZHEzzaA
asanka:gX88uJrvXSV7A

Then, created /etc/squid/allowedsites.txt file.
[root at worldnet squid]# cat /etc/squid/allowedsites.txt
.freebsd.org
ebay
cnn.com
bbc
google


Then, Finally,

[root at worldnet squid]# /etc/init.d/squid restart

THNAKS
INDUNIL


On 3/27/07, Roy Ong <centos-list at royong.com> wrote:
> On Tue, 2007-03-27 at 12:58 +0530, Indunil Jayasooriya wrote:
> > Hi,
> >
> >
> > >
> > > I think you probably need to combine a few rules together.
> > > Consider the following
> > >
> > > acl ncsa_users proxy_auth REQUIRED
> > > acl ip_users external ip_user %SRC %LOGIN %DST
> >
> > > acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com
> > >
> > > http_access deny !ncsa_users
> > > http_access deny !ip_users
> > > http_access allow ip_users ALLOWED_DOMAINS
> > > http_access allow ncsa_users ALLOWED_DOMAINS
> > > http_access deny all
> >
> > These rules say that ALL the ips have access to google.com bbc.com cnn.com.
> >
> > That is not What I want.
>
> oh ok - probably i didn't understand your requirements clearly enuff - i
> see that you have provide some details below and i'll attempt there.
>
> > This is my senario.
> >
> > There are about 50 users browsing internet. 3 users out of those 50
> > misuse internet.
> > So I only want to limit these 3 users.
> > Let's say their ips are 192.168.101.25, 192.168.101.26, 192.168.101.30
> >
> > Now I want to limit these 3 users' internet acsess to google.com
> > bbc.com cnn.com.
> > AND, the rest of users should have access to whole wolrd.
> >
> > I wrote below rules. Pls check !!
> >
> > external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f
> > /etc/squid/ip.conf
> >
> > acl ncsa_users proxy_auth REQUIRED
> > acl ip_users external ip_user %SRC %LOGIN
> >
> > acl clientips src 192.168.101.25 92.168.101.26 192.168.101.30
> > acl allowedsites url_regex -i "/etc/squid/allowedsites.txt"
> >
> > http_access deny !ncsa_users
> > http_access deny !ip_users
> > http_access allow ip_users clientips
> > http_access allow ip_users allowedsites
> > http_access allow ncsa_users clientips
> > http_access allow ncsa_users allowedsites
> > http_access deny clientips
>
> i would probably change to
>
> http_access deny !ncsa_users
> http_access deny !ip_users
> http_access deny clientips !allowedsites                <---added this
> http_access allow ip_users clientips
> http_access allow ip_users allowedsites
> http_access allow ncsa_users clientips
> http_access allow ncsa_users allowedsites
> http_access deny clientips
>
> the added statement will DENY access if they belong to "clientips" i.e.
> 192.168.101.25 or 192.168.101.26 or 192.168.101.30 AND they are trying
> to go to a url that is NOT defined in /etc/squid/allowedsites.txt
>
> remembering that http_access statements are carried out in sequence, the
> following will probably be true for the above
>
> 1. DENY         if NOT ncsa_users
> 2. DENY         if NOT ip_users
> 3. DENY         if clientips AND NOT allowedsites
> 4. ALLOW        if ip_users AND clientips
> 5. ALLOW        if ip_users AND allowedsites
> 6. ALLOW        if ncsa_users AND clientips
> 7. ALLOW        if ncsa_users AND allowedsites
> 8. DENY         if clientips
>
>
> > my etc/squid/allowedsites.txt is like this.
> > [root at worldnet ~]# cat /etc/squid/allowedsites.txt
> > google.com
> > bbc.com
> > cnn.com
> >
> >
> > But, It still does not work.
> >
> > Pls help me to solve this issue.
> >
> >
> >
> > > Basically, a new ACL was added and the corresponding http_access test,
> > > it will only
> > >
> > > (a) be allowed IF it fulfilled the test of being an ip_users and going
> > > to a domain as defined in the ALLOWED_DOMAINS acl
> > >
> > > ~ or ~
> > >
> > > (b) be allowed IF it fulfilled the test of being an ncsa_users and going
> > > to a domain as defined in the ALLOWED_DOMAINS acl
> > >
> > > Hope this helps.
> > >
> > >
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> > >
> >
> >
>


-- 
Thank you
Indunil Jayasooriya