Re: [squid-users] Exceptions to blocks

Paul Cocker wrote:
> As those of you watching this list will be aware, I am currently setting
> up a whole load of exciting website blocks. Since blocking facebook I
> doubt I have more than a couple of days left to live.

Well, its been nice seeing you.

> What I'm looking for is an easy way to create exceptions. Our Sales and
> Marketing departments need to bypass the shopping site block, because
> going to such sites is part of their job. I can do this in the following
> ways:
>
> 1. Setup an acl linking to the AD group for sales and one for for
> marketing, then setup a whitelist acl which links to the shopping
> blacklist, I then add an http_access allow line above the blocks calling
> this whitelist if you're authenticated AND in sales, and then another
> such line for marketing.

tricksey, very tricksey.

> 2. Setup an AD group called shoppingexceptions and add sales and
> marketing users to it. I create an acl which looks at this group and
> then modify the shopping line to http_access deny !shoppingexceptions
> shopping.
>
> I am currently using method 2, but the squidNT's AD group checker cannot
> handle groups within groups, so I can't have an exception group
> containing the sales and marketing groups, I have to export those groups
> and put the user's into the exceptions group.
>
> So, my question is, can I:
>
> a) List multiple exceptions to a rule on a single line e.g. http_access
> deny !sales !marketing shopping

Yes. The above translates directly to a boolean:
   !S && !M && shop

> b) Handle it in another, more elegant way?

Maybe. The limit is in the auth helper, not squid itself, so a better
auth helper would solve it.

> Obviously the idea is that no administrative effort is required on our
> part, someone joins sales and they automatically get the relevant
> exceptions.
>

Amos
Received on Wed Nov 07 2007 - 05:53:44 MST