Re: [squid-users] Priblem with ACL -max_user_ip & deny_info from Abdul-Azeez on 2003-01-03 (squid-users)

From: Abdul-Azeez <azeez@dont-contact.us>
Date: Fri, 3 Jan 2003 15:27:59 +0100

Hi Henrik,

The two groups will be differentiated by login names.

Abdul
----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Abdul-Azeez" <azeez@citizensbankng.com>
Cc: <squid-users@squid-cache.org>
Sent: Thursday, January 02, 2003 7:51 PM
Subject: Re: [squid-users] Priblem with ACL -max_user_ip & deny_info

> How do you want to differentiate the two groups? By login names or by IP
> addresses?
>
> If one group is differentiated by their IP address, should they still be
> required to log in?
>
> Regards
> Henrik
>
> Abdul-Azeez wrote:
> >
> > Hi Henrik,
> >
> > What I really want to do is this:
> > I have a group of users called "imsd-users" whom I want to be able to
login
> > during office hours, so I authenticate them using proxy_auth;
> >
> > All other users that attempt to login during office hours are disallowed
and
> > see a custom mesage which I have defined;
> >
> > I want to discourage imsd-users from sharing their passwords (or logging
in
> > from
> > from more than one PC) so I use the "max_user_ip -s" ACL; and
> >
> > I want imsd-users that attempt to login from more than one PC to
> > see another custom message which I have defined .
> >
> > Regards
> > Abdul
> >
> > ----- Original Message -----
> > From: "Henrik Nordstrom" <hno@squid-cache.org>
> > To: "Abdul-Azeez" <azeez@citizensbankng.com>
> > Cc: <squid-users@squid-cache.org>
> > Sent: Thursday, January 02, 2003 3:00 PM
> > Subject: Re: [squid-users] Priblem with ACL -max_user_ip & deny_info
> >
> > > Hmm.. can you please describe in detail what it is you are trying to
do.
> > > You seem to be using a mix of authentication and IP based acls.
> > >
> > > Regards
> > > Henrik
> > >
> > >
> > > Abdul-Azeez wrote:
> > > >
> > > > Hi Henrik,
> > > >
> > > > thanks, I tried your suggestion ie
> > > > "http_access deny imsd-users multiple-login-normal"
> > > >
> > > > But I am now being CONSTANTLY denied access and the following lines
are
> > > > written to
> > > > my cache.access file.
> > > >
> > > > 2002/12/31 17:34:30| The request GET http://www.yahoo.com/ is
DENIED,
> > > > because it
> > > >
> > > > matched 'imsd-users'
> > > >
> > > > 2002/12/31 17:34:30| The reply for GET http://www.yahoo.com/ is
ALLOWED,
> > > > because
> > > >
> > > > it matched 'all'
> > > >
> > > > 2002/12/31 17:34:34| The request GET http://www.yahoo.com/ is
DENIED,
> > > > because it
> > > >
> > > > matched 'all-cib-staff'
> > > >
> > > > 2002/12/31 17:34:34| The reply for GET http://www.yahoo.com/ is
ALLOWED,
> > > > because
> > > >
> > > > it matched 'all'
> > > >
> > > > abdul
> > > >
> > > > ----- Original Message -----
> > > >
> > > > From: "Henrik Nordstrom" <hno@squid-cache.org>
> > > > To: "Abdul-Azeez" <azeez@citizensbankng.com>
> > > > Cc: <squid-users@squid-cache.org>
> > > > Sent: Tuesday, December 31, 2002 1:57 PM
> > > > Subject: Re: [squid-users] Priblem with ACL -max_user_ip & deny_info
> > > >
> > > > > This is because max_user_ip requires the user to log in in order
to
> > > > > identify the user, so when the user is required to log in the acl
who
> > > > > denied them access anonymously was "multiple-login-normal".
> > > > >
> > > > > You should be able to use
> > > > >
> > > > > http_access deny imsd-users multiple-login-normal
> > > > >
> > > > > to get around this.
> > > > >
> > > > > Regards
> > > > > Henrik
> > > > >
> > > > > Abdul-Azeez wrote:
> > > > > >
> > > > > > Hi all ,
> > > > > > I am running squid2.5 STABLE1. and I use proxy_auth to
authenticate
> > my
> > > > > > users.
> > > > > > I also used the "max_user_ip -s" to limit login from more than
one
> > > > computer
> > > > > > and this work's well. I want users who attempt to break this
second
> > rule
> > > > > > to see a custom message but it seems to work funnily.
> > > > > >
> > > > > > The custom message is now displayed both when a user enters a
wrong
> > > > password
> > > > > > (or
> > > > > > none at all) and when multiple login is attempted from 2 PCs.
> > > > > > Part of my ACL are shown below
> > > > > > .
> > > > > > acl multiple-login-normal max_user_ip -s 1 # max no. of login by
> > user
> > > > from
> > > > > > diff. IP addresses
> > > > > > .
> > > > > > acl all-cib-staff src 128.1.0.0/16 #all users in the in CIB
> > > > > > .
> > > > > > acl imsd-users proxy_auth REQUIRED # users in systems dept.
> > > > > > .
> > > > > > acl working-hours time MTWHF 08:00-17:00 # official bank working
> > hours
> > > > > > .
> > > > > > .
> > > > > > deny_info mult-log-normal multiple-login-normal
> > > > > > http_access deny multiple-login-normal
> > > > > > http_access allow all-cib-staff !working-hours
> > > > > > http_access allow imsd-users
> > > > > > http_access deny all-cib-staff
> > > > > > .
> > > > > >
> > > > > > Can someone please tell me what I am doing wrong? Or suggest
better
> > > > > > ACL lines to implement my plan.
> > > > > >
> > > > > > Abdul
> > > > >
> > >
>
Received on Fri Jan 03 2003 - 00:02:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:25 MST