[squid-users] Re: configuring Squid to authenticate AND to log users' access to forbidden sites. from Joost de Heer on 2005-08-22 (squid-users)

From: Joost de Heer <sanguis@dont-contact.us>
Date: Mon, 22 Aug 2005 09:16:12 +0200 (CEST)

MARLON BORBA said:
> Squid ubergeeks,
>
> I am configuring a Squid (2.5-STABLE9 in a Fedora Core 4) to authenticate
> users into a LDAP directory. Having succeeded in that configuration, my
> next challenge is to implement access control AND logging of users'
> accesses to forbidden sites.
>
> I created two url_regex lists, semacesso.txt for porn and other banned
> sites and liberado.txt, which contain regexes for sites that, not being
> porn or any other crap, could be blocked because they contain a substring
> appearing to be a porn site (eg esSEX.ac.uk).
>
> I have two problems to solve:
>
> 1) My Squid.conf relevant lines below:
>
> [...]
> acl autenticados proxy_auth REQUIRED
> [...]
> acl liberado dstdom_regex "/etc/squid/liberado.txt"
> acl semacesso dstdom_regex "/etc/squid/semacesso.txt"
> [...]
> http_access allow autenticados
>
> http_access allow liberado
> http_access deny semacesso
> [...]
> # And finally deny all other access to this proxy
> http_access allow localhost
> http_access deny all
> [...]
>
> In this configuration it allows an authenticated user to access any site,
> even the forbidden ones. OTOH, I put the 'liberado' and 'semacesso' lines
> ABOVE the authentication line, the user does not access forbidden sites
> and Squid logs that into Cache.log, but WITHOUT the lame user's login.

Untested:
http_access allow localhost
http_access deny semacesso autenticados
http_access allow autenticados
http_access deny all

- Allow localhost to do anything
- If someone goes to a site in 'semacesso', (s)he'll get a password prompt
and if valid credentials are given, access is denied
- If someone goes to another site, (s)he'll get a password prompt and if
valid credentials are given, access is allowed
- And deny the rest

If someone presses escape after the password prompt when going to a
'semacesso' site, no username is logged of course, but a 407 (proxy
authentication is needed) is logged.

> 2) Is there a better way to permit access to non-pornographic sites (eg
> esSEX.ac.uk) but block pornographic ones (eg SEX.com)?

A content scanning proxy. Unfortunately I don't have any experience with
this (the squids I manage either don't have content scanning, or they talk
to a parent proxy which does scan but which I don't manage)

Joost
Received on Mon Aug 22 2005 - 01:16:15 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:02 MDT