Re: [squid-users] Priblem with ACL -max_user_ip & deny_info

Hi Henrik,

What I really want to do is this:
I have a group of users called "imsd-users" whom I want to be able to login
during office hours, so I authenticate them using proxy_auth;

All other users that attempt to login during office hours are disallowed and
see a custom mesage which I have defined;

I want to discourage imsd-users from sharing their passwords (or logging in
from
from more than one PC) so I use the "max_user_ip -s" ACL; and

I want imsd-users that attempt to login from more than one PC to
see another custom message which I have defined .

Regards
Abdul

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Abdul-Azeez" <azeez@citizensbankng.com>
Cc: <squid-users@squid-cache.org>
Sent: Thursday, January 02, 2003 3:00 PM
Subject: Re: [squid-users] Priblem with ACL -max_user_ip & deny_info

> Hmm.. can you please describe in detail what it is you are trying to do.
> You seem to be using a mix of authentication and IP based acls.
>
> Regards
> Henrik
>
>
> Abdul-Azeez wrote:
> >
> > Hi Henrik,
> >
> > thanks, I tried your suggestion ie
> > "http_access deny imsd-users multiple-login-normal"
> >
> > But I am now being CONSTANTLY denied access and the following lines are
> > written to
> > my cache.access file.
> >
> > 2002/12/31 17:34:30| The request GET http://www.yahoo.com/ is DENIED,
> > because it
> >
> > matched 'imsd-users'
> >
> > 2002/12/31 17:34:30| The reply for GET http://www.yahoo.com/ is ALLOWED,
> > because
> >
> > it matched 'all'
> >
> > 2002/12/31 17:34:34| The request GET http://www.yahoo.com/ is DENIED,
> > because it
> >
> > matched 'all-cib-staff'
> >
> > 2002/12/31 17:34:34| The reply for GET http://www.yahoo.com/ is ALLOWED,
> > because
> >
> > it matched 'all'
> >
> > abdul
> >
> > ----- Original Message -----
> >
> > From: "Henrik Nordstrom" <hno@squid-cache.org>
> > To: "Abdul-Azeez" <azeez@citizensbankng.com>
> > Cc: <squid-users@squid-cache.org>
> > Sent: Tuesday, December 31, 2002 1:57 PM
> > Subject: Re: [squid-users] Priblem with ACL -max_user_ip & deny_info
> >
> > > This is because max_user_ip requires the user to log in in order to
> > > identify the user, so when the user is required to log in the acl who
> > > denied them access anonymously was "multiple-login-normal".
> > >
> > > You should be able to use
> > >
> > > http_access deny imsd-users multiple-login-normal
> > >
> > > to get around this.
> > >
> > > Regards
> > > Henrik
> > >
> > > Abdul-Azeez wrote:
> > > >
> > > > Hi all ,
> > > > I am running squid2.5 STABLE1. and I use proxy_auth to authenticate
my
> > > > users.
> > > > I also used the "max_user_ip -s" to limit login from more than one
> > computer
> > > > and this work's well. I want users who attempt to break this second
rule
> > > > to see a custom message but it seems to work funnily.
> > > >
> > > > The custom message is now displayed both when a user enters a wrong
> > password
> > > > (or
> > > > none at all) and when multiple login is attempted from 2 PCs.
> > > > Part of my ACL are shown below
> > > > .
> > > > acl multiple-login-normal max_user_ip -s 1 # max no. of login by
user
> > from
> > > > diff. IP addresses
> > > > .
> > > > acl all-cib-staff src 128.1.0.0/16 #all users in the in CIB
> > > > .
> > > > acl imsd-users proxy_auth REQUIRED # users in systems dept.
> > > > .
> > > > acl working-hours time MTWHF 08:00-17:00 # official bank working
hours
> > > > .
> > > > .
> > > > deny_info mult-log-normal multiple-login-normal
> > > > http_access deny multiple-login-normal
> > > > http_access allow all-cib-staff !working-hours
> > > > http_access allow imsd-users
> > > > http_access deny all-cib-staff
> > > > .
> > > >
> > > > Can someone please tell me what I am doing wrong? Or suggest better
> > > > ACL lines to implement my plan.
> > > >
> > > > Abdul
> > >
>
Received on Thu Jan 02 2003 - 10:09:45 MST