[squid-users] whitelist for HTTPS sites

From: Arturs Korneevs <Arturs.Korneevs@dont-contact.us>
Date: Thu, 11 Mar 2004 18:56:25 +0200

Hello,

I have defined 3 ldap groups:

Internet_no_limit
Internet_limited
Internet_no_access

and I have 2 whitelists - first is for HTTP sites (whitelist.http.txt) and
second is for HTTPS (whitelist.https.txt).

I have problems with second group (Internet_limited).
User can login and see allowed HTTP sites. But he can't see HTTPS sites.
I got: 1079022800.399 0 192.168.132.151 TCP_DENIED/403 4266 CONNECT www.oracle.com:443 test NONE/- text/html
in access.log.

It's my config:

auth_param basic children 30
auth_param basic realm squid ldap auth
auth_param basic credentialsttl 2 hours

auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b dc=int,dc=domain,dc=lv -D "cn=arturs korneevs,ou=Active,ou=firm,dc=int,dc=domain,dc=lv" -w secret -f "(&(samaccountname=%s)(objectclass=user))" server_ip
 
# ldap group's name "Internet_no_limit"
external_acl_type ldap_nolimit %LOGIN /usr/local/squid/libexec/squid_ldap_group -b ou=other,ou=groups,ou=hansabanka,dc=int,dc=hbl,dc
=lv -B dc=int,dc=domain,dc=lv -D "cn=arturs korneevs,ou=active,ou=hansabanka,dc=int,dc=hbl,dc=lv" -w secret -F "(&(samaccountname=%s)
(objectclass=user))" -f "(&(cn=%g)(member=%u)(objectclass=group))" server_fine

# ldap group's name "Internet_limited"
external_acl_type ldap_limited %LOGIN /usr/local/squid/libexec/squid_ldap_group -b ou=other,ou=groups,ou=firm,dc=int,dc=domain,dc
=lv -B dc=int,dc=hbl,dc=lv -D "cn=arturs korneevs,ou=active,ou=firm,dc=int,dc=domain,dc=lv" -w secret -F "(&(samaccountname=%s)
(objectclass=user))" -f "(&(cn=%g)(member=%u)(objectclass=group))" server_ip

# ldap group's name "Internet_no_access"
external_acl_type ldap_noaccess %LOGIN /usr/local/squid/libexec/squid_ldap_group -b ou=other,ou=groups,ou=firm,dc=int,dc=domain,d
c=lv -B dc=int,dc=domainl,dc=lv -D "cn=arturs korneevs,ou=active,ou=firm,dc=int,dc=domain,dc=lv" -w secret -F "(&(samaccountname=%s
)(objectclass=user))" -f "(&(cn=%g)(member=%u)(objectclass=group))" server_ip

cl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl our_networks src 192.168.0.0/16
acl blockedsites url_regex -i "/usr/local/squid/etc/block.txt"
acl do_not_cache url_regex -i "/usr/local/squid/etc/dontcache.txt"

acl acl_nolimit external ldap_nolimit Internet_no_limit
acl acl_limited external ldap_limited Internet_limited
acl acl_noaccess external ldap_noaccess Internet_no_access
acl acl_whitelist_http url_regex -i "/usr/local/squid/etc/whitelist.http.txt"
acl acl_whitelist_https url_regex -i "/usr/local/squid/etc/whitelist.https.txt"
acl acl_protocol_http proto HTTP
acl acl_protocol_https proto HTTPS

http_access deny blockedsites
deny_info ERR_NOT_IN_WHITELIST blockedsites
no_cache deny do_not_cache
http_access deny acl_noaccess
http_access allow our_networks acl_limited acl_whitelist_http acl_protocol_http
http_access allow our_networks acl_limited acl_whitelist_https acl_protocol_https
http_access deny acl_limited
deny_info ERR_NOT_IN_WHITELIST acl_limited
http_access allow our_networks acl_nolimit
http_access deny all

whitelist.https.txt looks like that:
www.oracle.com

whitelist.http.txt looks like that:
www.oracle.com

Where is my mistake?

Many thanks !
Received on Thu Mar 11 2004 - 09:57:58 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST