Results 1 to 2 of 2

Thread: Squid, locking some users to single IP.

Threaded View

  1. #1
    Join Date
    Jul 2009
    Location
    South Africa
    Beans
    168
    Distro
    Ubuntu

    Squid, locking some users to single IP.

    I have squid running as a non-trasnparent proxy on a server running IP tables.

    My Squid users should comprise of the following:
    Normal users, call them Staff.
    Lets say I have a group of 5 people, and call them Managers.

    Of the above, Staff already has internet access via the squid proxy, regardless of what machine they are connecting from. This works as it should.

    I need to add Managers as an additional list of users. Managers may only access the internet when connecting from the computer 10.10.10.109.

    I also now need to block staff from connecting from the PC 10.10.10.109.

    I have tried creating acl's in squid for the above, to no avail.

    All my users (Staff and Managers) are defined under ncsa_users. I then have an additional acl that consists of the usernames of the managers as they appear under ncsa_users. I then use this acl to create a rule to block/allow them. I'm obviously doing it wrong or else it would be working.

    My squid config file:
    Code:
    ########################################### Squid Settings #############################################################
    coredump_dir /var/spool/squid
    hosts_file /etc/hosts
    http_port 8080
    
    ########################################### Squid Authentication settings #########################################
    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Company Server Proxy
    auth_param basic credentialsttl 2 hour
    auth_param basic casesensitive off
    
    ######################################### Access Control Lists #########################################################
    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl CONNECT method CONNECT
    acl SSL method CONNECT
    
    ###### Authentication ########
    acl ncsa_users proxy_auth REQUIRED
    
    ###### Network ###############
    acl SSL_ports port 443
    
    ###### SSL Ports #############
    acl SSL_ports port 563 # https
    acl SSL_ports port 873 # snews
    acl Safe_ports port 80 # rsync
    
    ##### Safe Ports #############
    acl Safe_ports port 21 # http
    acl Safe_ports port 443 # ftp
    acl Safe_ports port 70 # https
    acl Safe_ports port 210 # gopher
    acl Safe_ports port 1025-65535 # wais
    acl Safe_ports port 280 # unregistered ports
    acl Safe_ports port 488 # http-mgmt
    acl Safe_ports port 591 # gss-http
    acl Safe_ports port 777 # filemaker
    acl Safe_ports port 631 # multiling http
    acl Safe_ports port 873 # cups
    acl Safe_ports port 901 # rsync
    acl ManagersPC src 10.10.10.109
    acl Managers proxy_auth "/etc/squid/managers.acl"
    
    ###################################### Access Control Rules ##########################################################
    http_access allow ManagersPC Managers
    http_access deny ncsa_users ManagersPC
    http_access allow ncsa_users
    http_access allow SSL_ports
    http_access allow Safe_ports
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny all
    
    cache_mgr root@domain.com
    hierarchy_stoplist trusteer
    How should I go about this?
    Last edited by Demented ZA; October 5th, 2012 at 11:08 AM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •