RE: [squid-users] Restricting certain users to certain urls from Chris Robertson on 2005-09-14 (squid-users)

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 14 Sep 2005 10:10:18 -0800

> -----Original Message-----
> From: Yong Bong Fong [mailto:bfyong@shinyang.com.my]
> Sent: Tuesday, September 13, 2005 5:02 PM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] Restricting certain users to certain urls
>
>
> Hi Christoph,
>
> I got problem again. Squidguard acl was problematic it
> didn't work
> quite well. Now I am trying on Squid acl to restrict certain users to
> certain urls. I also have ldap authentication for my squid. Following
> are my acls:
>
> acl abc ident andy
> acl blocksites dstdomain .google.com
>
> http_access deny abc blocksites
> http_access allow ldap_group-www

Change these lines to...

acl abc proxy_auth andy
acl allowsites dstdomain .google.com

http_access allow abc allowsites # Allow andy to surf google
http_access deny abc # Prevent andy from surfing elsewhere
http_access allow ldap_group-www # Allow ldap_group-www to surf

>
> What I am trying to achieve is to only allow Andy (who is
> grouped in abc
> above) to access google.com only. Other sites are blocked for him. I
> tried it but it didn't work quite well, it does block
> google.com but not
> just for andy, it blocks all other users too.
> Apparently the problem must be something to do with the "acl
> abc ident
> andy". When I retsarted squid the first time after changing the
> configuration, its fine. But second time the following
> message came out:
>
> # service squid restart
> Stopping squid: 2005/09/14 08:48:49| squid.conf line 1791:
> acl abc ident
> bfyong
> 2005/09/14 08:48:49| aclParseAclLine: Invalid ACL type 'ident'
> 2005/09/14 08:48:49| squid.conf line 1821: http_access allow
> abc blocksites
> 2005/09/14 08:48:49| aclParseAccessLine: ACL name 'abc' not found.
>
> Any idea what is wrong? seems like it is not checking the username
> thingi to do the acl.....
> please help me to identify my problem..thanks a lot for
> taking time helping.
> thanks a lot...
>
>

You are not using ident to gather usernames (instead it looks like you are using a basic authenticator) so you need to use proxy_auth acls.

Chris
Received on Wed Sep 14 2005 - 12:10:21 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT