Hi,
I'm having some fun trying to understand how to use the ACL's to
restict access to the net, using squid-2.6.STABLE4.
Currently on our production Squid 2.5 box we allow some unresticted
access to the net based on a static IP address of the users PC. E.g:
acl PC001 src 192.168.1.33
acl allow src PC001
All other users are restricted to sites that are not referenced in a
banned site lising
E.g: acl blockedsites url_regex "/etc/squid/bannedurls"
I now have a test box with squid 2.6 up and running, which is properly
talking to AD and I have NTLM working perfectly so that squid 2.6 acts
as a transparent proxy. I would like to be able to setup 3 groups
(InternetAllowed, InternetRestricted and InternetDenied) that are
setup on my AD network and would have access as follows;
- InternetAllowed members have unrestricted access to websites.
- InternetRestricted members have sites provided that they are not
referenced in my bannedurl file
- InternetDenied members don't get any web use
I've tried a simple test (the squid config is below) to get squid to
only allow access to the web, if the user was a member of the
"InternetAllowed" group, but it's not picking up. Whether the user was
in the InternetAllowed group or not they could still access the web.
Currently I have the following acl:
acl InternetAllowed proxy_auth REQUIRED
http_access allow InternetAllowed
http_access deny all
But this doesn't seem to do the job, I also tried "http_access deny
!InternetAllowed" instead of the "http_access allow InternetAllowed"
entry but this didn't work either.
Is the problem down to the "acl InternetAllowed proxy_auth REQUIRED"
line? Should I have something in the syntax to reference the external
grouping on the AD controllers?
If I run "wbinfo -g |grep -i internet" I get the following back
InternetAllowed
InternetRestricted
InternetDenied
Any assistance you can provide would be most appreciated. I am hoping
to create a document with all the steps I used, I would be willing to
post this if it is of assistance to others.
PD
===squid.conf=====
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl InternetAllowed proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow InternetAllowed
http_access deny all
Received on Wed Nov 01 2006 - 10:20:27 MST
This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST