Re: [squid-users] FTP, control on who can and who can't, with external group authentication from Henrik Nordstrom on 2003-01-24 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 24 Jan 2003 12:42:27 +0100

You also need to deny access to ftp...

http_access allow ftp techuser
http_access deny ftp
http_access allow webuser
http_access deny all

Or alternatively which I think works better for you based on the
definitions of your groups

http_access deny ftp !techuser
http_access allow webuser
http_access deny all

Regards
Henrik Nordström

ons 2003-01-22 klockan 08.52 skrev Arno_STREULI@ca-indosuez.ch:
> Hi all,
> Im using squid 2.5 STABLE1 on Solaris 8 with NTLM authentication (include
> external group authentication), it works fine all of it.
>
> But I need to make some restriction on who can and who can't do FTP (include
> with size), so here is what I did :
> (squid.conf)
>
> acl ftp proto FTP
> acl auth proxy_auth REQUIRED
> acl techuser external NT_global_group SurfeursWebCH-T (user allowed to use FTP)
> acl webuser external NT_global_group SurfeursWebCH SurfeursWebCH-T (user alowed
> to access internet for browsing)
> http_access allow ftp techuser
> http_access allow auth webuser
> http_access deny all
>
> This two parameter dosen't works, but If I remember right it's resolv in the
> current CVS version of squid, du to a need of a second authentication, not to a
> big deal for now)
> reply_body_max_size 0 allow techuser (unlimited get for techuser)
> reply_body_max_size 2000000 allow all (limited get for all user)
>
> but user can do an ftp, here is what I get in my log file:
> 1043166154.341 111241 10.137.170.31 TCP_MISS/200 11676396 GET
> ftp://sunsite.cnlab-switch.ch/mirror/opera/win/605/ja/java/ow32jaja605j.exe
> d-ch-bi1\bi247 DIRECT/195.176.255.9 application/octet-stream ...
>
>
> and this user is not a member of the techuser group.
>
> Can you help ?
>
> Regards,
>
> Arno
>
>
>
>
> ******************************************************************
> DISCLAIMER - E-MAIL
> -------------------
> The information contained in this E-Mail is intended for the named
> recipient(s). It may contain certain privileged and confidential
> information, or information which is otherwise protected from
> disclosure. If you are not the intended recipient, you must not
> copy,distribute or take any action in reliance on this information
> ******************************************************************

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden

Received on Fri Jan 24 2003 - 04:42:33 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:49 MST