Re: Newbie: Access Control

From: Henrik Nordstrom <>
Date: Fri, 29 Jan 1999 13:18:06 +0100

anneck wrote:

> Now, managers have decided that we need addional restrictions inside the
> company who will be able to "surf" at all and stuff....
> In detail I need to be able to identify 3 user groups
> A: With complete access
> B: Only access to Intranet
> C: Access to Intranet + 6 specified domain names *sigh*

This is certainly doable.

First you have to decide on which method to distinguish the different
user classes. Client IP address, proxy authentication, or ident

Squid 2.1 requires some patching to use proxy_auth groups (see Squid 2.2 when released has the
needed functionality without any patches.

# Begin by denying external users access
acl intranet_clients src
http_access deny !intranet_clients

# B: Only access to intranet
# All users allowed, no authentication required. This has to be
# before any proxy_auth based access controls, or the user will
# be asked for authentication even if not needed for access.
acl intranet_servers dst
http_access allow intranet_servers

# A: With complete access
acl full_acess_users proxy_auth "/usr/local/squid/etc/users.fullaccess"
http_access allow full_access_users

# C: Access to Intranet + 6 specified domain names *sigh*
# two rules used. One to allow specified domains, one to allow
# specified servers.
acl limited_access_users proxy_auth
acl limited_access_domains dstdomain ...
http_access allow limited_access_domains limited_access_users
acl limited_access_servers dst
http_access allow limited_access_servers limited_access_users

# Deny all else.
acl all src
http_access deny all

Henrik Nordstrom
Spare time Squid hacker
Received on Fri Jan 29 1999 - 05:16:46 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:10 MST