Re: [squid-users] how to set up an "allow all" list for specific users from Amos Jeffries on 2007-10-12 (squid-users)

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 13 Oct 2007 18:57:42 +1300

Aidan Gullickson wrote:
> Hello,
>
> I am attempting to set up an acl for our IT staff so that they are not
> subject to any of the other restrictions we have specified in our
> squid.conf file. I am having difficulty getting this running properly.
> I did spend several hours searching the archives and Google and was
> unable to find anything specifically on this topic, however I apologize
> if this has been asked before.
>
> Our proxy server is running FreeBSD 6.2, and we are on squid version
> 2.6. Our squid.conf file is fairly complex and we are using it to block
> content such as streaming audio and video, IM, social networking sites,
> downloading executables, etc. I want to add an additional acl that
> would allow certain users open access, without being subject to any of
> the other blocks we have set up. We are authenticating users against
> our LDAP server via proxy_auth.
>
> What I have in place right now is the following:
>
> # IT staff members allowed unrestricted access
> acl IT_staff proxy_auth user1 user2 user3 user4
>
> This line is near the top of our squid.conf. Much further along, nearly
> at the bottom, I have the following line:
>
> http_access allow IT_staff
>
> I have also experimented with:
>
> http_access allow IT_staff all

Those two lines are identical in meaning to squid. Second just takes
longer to test.

> Those users in the group IT_staff are able to browse web sites without
> any restrictions, however I'm having a few side effects. One is that I
> get a lot of false positive matches with sites being denied to non
> IT_staff users because they match "IT_staff".

You obviously have a "deny ... IT_Staff" or an "allow ... !IT_Staff" in
the config somewhere.
Using 'IT_Staff' as the last acl on the *_access line will cause its
name to be used in error page if the entire *_access results in denial.

> Could anyone advise on either how to correct what I have going on now,
> or how to just set up an acl that would allow unrestricted access for a
> group of users, specified by username?

You have located the best way. Just not using it right.

Amos
Received on Fri Oct 12 2007 - 23:57:53 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT