I solved my own problem. The solution pertains partly to a problem in another post of mine found here.
Lets say I have the following users set up under ncsa-auth:
Mark
Phill
Bob
Sarah
Naomi
John
Bill
Melany
Of these users, I need to set up groups, as 3 of the above users are Managers, and the others are staff.
In my squid config, I defined the groups as:
Code:
acl Staff proxy_auth_regex -i Mark Phill Bob Sarah Naomi
acl Managers proxy_auth_regex -i John Bill Melany
In order to lock Managers to a single IP/Machine, I have to tell squid what machine first. Again, an ACL definition:
Code:
acl ManagerPC src 10.10.10.109
This can also seemingly be done by mac address, although I have yet to try it.
I also had to define the rest of the network, in other words the whole subnet, except 10.10.10.109:
Code:
acl Staff_pcs src "/etc/squid/user_pcs.acl"
The above file, contains a linear range of IP's from 10.10.10.1 to 10.10.10.254, one entry per line. I just removed the line with the IP 10.10.10.109. Read Below for more information on generating this file.
Now all that was left was to Allow staff to use all PC's except the managers-pc, and to allow managers to use the managers-pc and be denied access on any other pc:
Code:
http_reply_access deny ManagerPC Staff
#http_reply_access deny Staff_pcs Managers #commented. was creating issues.
http_access deny ManagerPC Staff
http_access deny Staff_pcs Managers
# Regular ncsa_users allow rule
http_access allow ncsa_users
...
http_access deny all
And there we have it. Managers are locked down to the managers PC.
As for the generation of the Staf_pcs file:
I needed to list the entire network, and omit 10.10.10.109.
Writing the file in the following didn't work:
Code:
10.10.10.1/24 !10.10.10.109
I haven't tried the below yet.
Code:
10.10.10.1-10.10.10.108
10.10.10.110-10.10.10.254
I needed to define it in a way that I'm sure of, as I had little time and needed to produce results. Hence I wrote a small perl script that generates a range of ip's:
contents of ips.pl
Code:
#!/bin/bash
for i in {1..254}
do
echo "10.10.10.$i"
done
and then piped the output to a file that squid could use:
Code:
sudo perl ips.pl >> Staff_pcs
I then opened up the file in nano and deleted the line containing 10.10.10.109, saved it and moved to the squid directory.
I know this is not the most graceful way, but as I said, I was pressed for time, and needed a file that would get the job done.
I'll clean up my solution and try a more efficient approach, but for the time being I documented this here for thers to use, since I found nothing of the sort on the internet.
Bookmarks