I think I have this sorted now..
I did some more detailed, structured testing and it appears that using the
following rules it does work, it just takes some time for squid to start
sending all requests to the redirector/the redirector to process them
correctly.
To test I was simply changing the group name in the ntgroups file and
issuing a reconfigure as required.
Below are the rules I tested with and the results:
#
# NTLM Rules
#
acl FilteredUsers external NTGroups "/etc/squid/ntgroups-filtered"
acl UnfilteredUsers external NTGroups "/etc/squid/ntgroups-unfiltered"
acl BlockedUsers external NTGroups "/etc/squid/ntgroups-blocked"
acl AuthorizedUsers proxy_auth REQUIRED
redirector_access allow AuthorizedUsers FilteredUsers
http_access deny AuthorizedUsers BlockedUsers
http_access allow AuthorizedUsers FilteredUsers
http_access allow AuthorizedUsers UnfilteredUsers
========
Results:
========
Filtered - Works
Change to Unfiltered - Works
Change to Filtered - No response from redirector immediately, then only some
requests go through
Wait 2mins close browser - Force refresh - eventually
works.
Change to Unfiltered - Works
Change to Filtered - Works after about 20 seconds
Change to Blocked - Works
Change to Filtered - Not immediately, starts half working, eventually works
after about 1 min
======
Why is there this time delay? Why is the change no immediate like when
moving from filtered to unfiltered access?
Is there any way this delay could be reduced?
I'm actually fairly happy with these results as at least now I am aware of
what will happen when a change is made. (it won't start filtering
immediately, but eventually it will)
Jay
-----Original Message-----
From: Jay Turner [mailto:jturner@bsis.com.au]
Sent: Tuesday, 24 June 2003 10:18 AM
To: squid-users@squid-cache.org
Subject: redirector_access usage
Hi All,
I'm having some trouble getting the redirector_access directive to work
correctly for me with SquidGuard.
I'm using Squid2.5STABLE2 with Winbind/NTLM Group authentication
(wb_ntlmauth, wb_group), but I have tried on STABLE3 also with no luck.
I have three global groups on my NT domain - staff, students, block
Staff have unfiltered access
Students are filtered through squidguard
Users from both these groups can be added to the block group to disable
their access for whatever reason
The problem I am having is that when I add a user to the block group, it
blocks as planned, but when I subsequently remove them, the
redirector_access isn't working correctly.
i.e. I add a 'Staff' member to 'block' and they lose access (correct), then
I remove them from 'block' to re-instate access and then I find that the
Staff member now gets passed through to the redirector rather than bypassing
it.
From cache.log:
2003/06/24 10:02:41| redirectStart:
'http://www.traxxas.com/products/index.html'
2003/06/24 10:02:41| redirectHandleRead:
{http://10.20.10.225/vw/denied.php?client=10.20.10.122&url=http://www.traxxa
s.com/products/index.html 10.20.10.122/- domain\jturner GET}
But the redirector doesn't even function correctly as this website
(www.traxxas.com) is not in my whitelist. So most of the page loads and only
some elements are blocked. If I restart Squid then the page is fully
blocked, but forcing a refresh on my browser a couple of times will then
half display the page again.
As soon as I take out redirect_access (making everyone go through
redirector) everything works as expected.
I think the issue is probably with my ACL ordering, even though I have tried
numerous combinations.
I have verified that the user's group ACL's are being properly evaluated via
cache.log, so it's not that.
Below are the pertinent lines from squid.conf
#Helper
external_acl_type NTGroups ttl=10 negative_ttl=10 %LOGIN
/usr/lib/squid/wb_group # ttl=10 for rapid testing
#ACLS
acl all src 0.0.0.0/0.0.0.0
acl FilteredUsers external NTGroups "/etc/squid/ntgroups-filtered"
acl UnfilteredUsers external NTGroups "/etc/squid/ntgroups-unfiltered"
acl BlockedUsers external NTGroups "/etc/squid/ntgroups-blocked"
acl AuthorizedUsers proxy_auth REQUIRED
redirector_access allow AuthorizedUsers FilteredUsers
redirector_access deny AuthorizedUsers UnfilteredUsers
http_access deny AuthorizedUsers BlockedUsers
http_access allow AuthorizedUsers FilteredUsers
http_access allow AuthorizedUsers UnfilteredUsers
http_access deny all
Any help would be appreciated.
Thanks
Regards
Jay
Received on Mon Jun 23 2003 - 23:06:58 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:35 MST