[squid-users] ACL Not working the way I'd like. from Chris Berry on 2003-06-10 (squid-users)

From: Chris Berry <compjma@dont-contact.us>
Date: Tue, 10 Jun 2003 17:05:57 -0700

I hope this isn't already listed somewhere, I tried to solve it on my own
first, then checked google, the squid faq, and the archives, but I'm either
searching for the wrong thing or it's not there. I already asked this
question on the IPCOP list but no one was able to help, this seems an
appropriate place to check next.

I have a remote office with five employees who use an IPCOP box to connect
to the internet. The workstations are win2k (and no, I can't change that.
Some of our software only works on MS, I'm working on it) I need to set it
up so that four of the users are only allowed to go to sites on a small
list, while the manager can go anywhere. IPCOP uses SQUID as it's proxy
component, so I've done some reading and here's what I've come up with:

I created a directory called controls in /var/ipcop/proxy
I created a file called collectors_group in the controls directory which
holds the login names of members of this group, as a test case I'm using the
root account.
I created a file called collectors_sites in the controls directory which has
a list of url regexes where they are allowed to go, as a test case I have
blackborder\.com as the only entry.
The directory and both files are owned and grouped with the nobody user that
IPCOP uses for the proxy directory.
Using jmacs (death to vi!) I edited the /var/ipcop/proxy/squid.conf file to
add the following lines:

authenticate_program /usr/lib/squid/ncsa_auth /etc/shadow
acl collectors_group proxy_auth REQUIRED
"/var/ipcop/proxy/controls/collectors_group"
acl collectors_sites url_regex "/var/ipcop/proxy/controls/collectors_sites"
http_access allow collectors_sites collectors_group
http_access deny collectors_group

I made sure to put all of that BEFORE any other http_access rules. As far
as I can tell it doesn't seem to be working, anyone have an idea of what's
going on?

Chris Berry
compjma@hotmail.com
Systems Administrator
JM Associates

"Within every man beats a heart of darkness." --The Shadow

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
Received on Tue Jun 10 2003 - 18:06:02 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:18 MST