Re: Newbie: Access Control

anneck wrote:

> Now, managers have decided that we need addional restrictions inside the
> company who will be able to "surf" at all and stuff....
> In detail I need to be able to identify 3 user groups
> A: With complete access
> B: Only access to Intranet
> C: Access to Intranet + 6 specified domain names *sigh*

This is certainly doable.

First you have to decide on which method to distinguish the different
user classes. Client IP address, proxy authentication, or ident
protocol.

Squid 2.1 requires some patching to use proxy_auth groups (see
http://hem.passagen.se/hno/squid/). Squid 2.2 when released has the
needed functionality without any patches.

# Begin by denying external users access
acl intranet_clients src 10.0.0.0/255.0.0.0
http_access deny !intranet_clients

# B: Only access to intranet
# All users allowed, no authentication required. This has to be
# before any proxy_auth based access controls, or the user will
# be asked for authentication even if not needed for access.
acl intranet_servers dst 10.0.0.0/255.0.0.0
http_access allow intranet_servers

# A: With complete access
acl full_acess_users proxy_auth "/usr/local/squid/etc/users.fullaccess"
http_access allow full_access_users

# C: Access to Intranet + 6 specified domain names *sigh*
# two rules used. One to allow specified domains, one to allow
# specified servers.
acl limited_access_users proxy_auth
"/usr/local/squid/etc/users.limitedaccess"
acl limited_access_domains dstdomain example.com example.net ...
http_access allow limited_access_domains limited_access_users
acl limited_access_servers dst server1.example.org server2.example.org
http_access allow limited_access_servers limited_access_users

# Deny all else.
acl all src 0.0.0.0/0
http_access deny all

---
Henrik Nordstrom
Spare time Squid hacker