Hi Roy and calin.kalinix.cosma, Thanks for your help all the given to me. Finally, I got it done. Binding an ip address to an username with SQUID and limiting access of some users with their ips to a few sites rules added to squid.conf file external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf acl ncsa_users proxy_auth REQUIRED acl ip_users external ip_user %SRC %LOGIN acl clientips src 192.168.101.28 192.168.101.29 192.168.101.30 acl allowedsites url_regex -i "/etc/squid/allowedsites.txt" http_access deny !ncsa_users http_access deny !ip_users http_access deny clientips !allowedsites http_access allow ip_users clientips http_access allow ip_users allowedsites http_access allow ncsa_users clientips http_access allow ncsa_users allowedsites http_access deny clientips Then, created /etc/squid/ip.conf and add the pair (ip and username) [root at worldnet squid]# cat /etc/squid/ip.conf 192.168.101.25 indunil 192.168.101.26 asanka 192.168.101.28 www28 192.168.101.29 www29 192.168.101.30 www30 192.168.101.90 www90 Then, by using htpasswd, I created /etc/squid/squid_passwd file. [root at worldnet squid]# cat /etc/squid/squid_passwd indunil:TeiAQ3uqXDQNg www:Oi4THedCcN0nQ web:EEluAdNUco6.g www90:3CNziF2SkgmAo www28:eXuWlloKq1mk2 www29:6UH7KXjAZ769o www30:RtjV9ZZHEzzaA asanka:gX88uJrvXSV7A Then, created /etc/squid/allowedsites.txt file. [root at worldnet squid]# cat /etc/squid/allowedsites.txt .freebsd.org ebay cnn.com bbc google Then, Finally, [root at worldnet squid]# /etc/init.d/squid restart THNAKS INDUNIL On 3/27/07, Roy Ong <centos-list at royong.com> wrote: > On Tue, 2007-03-27 at 12:58 +0530, Indunil Jayasooriya wrote: > > Hi, > > > > > > > > > > I think you probably need to combine a few rules together. > > > Consider the following > > > > > > acl ncsa_users proxy_auth REQUIRED > > > acl ip_users external ip_user %SRC %LOGIN %DST > > > > > acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com > > > > > > http_access deny !ncsa_users > > > http_access deny !ip_users > > > http_access allow ip_users ALLOWED_DOMAINS > > > http_access allow ncsa_users ALLOWED_DOMAINS > > > http_access deny all > > > > These rules say that ALL the ips have access to google.com bbc.com cnn.com. > > > > That is not What I want. > > oh ok - probably i didn't understand your requirements clearly enuff - i > see that you have provide some details below and i'll attempt there. > > > This is my senario. > > > > There are about 50 users browsing internet. 3 users out of those 50 > > misuse internet. > > So I only want to limit these 3 users. > > Let's say their ips are 192.168.101.25, 192.168.101.26, 192.168.101.30 > > > > Now I want to limit these 3 users' internet acsess to google.com > > bbc.com cnn.com. > > AND, the rest of users should have access to whole wolrd. > > > > I wrote below rules. Pls check !! > > > > external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f > > /etc/squid/ip.conf > > > > acl ncsa_users proxy_auth REQUIRED > > acl ip_users external ip_user %SRC %LOGIN > > > > acl clientips src 192.168.101.25 92.168.101.26 192.168.101.30 > > acl allowedsites url_regex -i "/etc/squid/allowedsites.txt" > > > > http_access deny !ncsa_users > > http_access deny !ip_users > > http_access allow ip_users clientips > > http_access allow ip_users allowedsites > > http_access allow ncsa_users clientips > > http_access allow ncsa_users allowedsites > > http_access deny clientips > > i would probably change to > > http_access deny !ncsa_users > http_access deny !ip_users > http_access deny clientips !allowedsites <---added this > http_access allow ip_users clientips > http_access allow ip_users allowedsites > http_access allow ncsa_users clientips > http_access allow ncsa_users allowedsites > http_access deny clientips > > the added statement will DENY access if they belong to "clientips" i.e. > 192.168.101.25 or 192.168.101.26 or 192.168.101.30 AND they are trying > to go to a url that is NOT defined in /etc/squid/allowedsites.txt > > remembering that http_access statements are carried out in sequence, the > following will probably be true for the above > > 1. DENY if NOT ncsa_users > 2. DENY if NOT ip_users > 3. DENY if clientips AND NOT allowedsites > 4. ALLOW if ip_users AND clientips > 5. ALLOW if ip_users AND allowedsites > 6. ALLOW if ncsa_users AND clientips > 7. ALLOW if ncsa_users AND allowedsites > 8. DENY if clientips > > > > my etc/squid/allowedsites.txt is like this. > > [root at worldnet ~]# cat /etc/squid/allowedsites.txt > > google.com > > bbc.com > > cnn.com > > > > > > But, It still does not work. > > > > Pls help me to solve this issue. > > > > > > > > > Basically, a new ACL was added and the corresponding http_access test, > > > it will only > > > > > > (a) be allowed IF it fulfilled the test of being an ip_users and going > > > to a domain as defined in the ALLOWED_DOMAINS acl > > > > > > ~ or ~ > > > > > > (b) be allowed IF it fulfilled the test of being an ncsa_users and going > > > to a domain as defined in the ALLOWED_DOMAINS acl > > > > > > Hope this helps. > > > > > > > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > -- Thank you Indunil Jayasooriya