[squid-users] Just a simple question about ACL

Amos Jeffries squid3 at treenet.co.nz
Sun Mar 6 10:59:46 UTC 2016 

On 6/03/2016 2:18 p.m., VerĂ³nica Ovando wrote:
> Hi, community.
> 
> I need to understand why this rules are not working.

Unfortunately that is far from simple.


> 
> My squid is working with AD authentication.
> 
> I need to allow the group *AD_informatico* to visit facebook only during
> *maniana_ocio* and *tarde_ocio* and have full access to the web. They
> are not working. *AD_informatico* can visit facebook without problems. I
> tryed something like this: *http_access deny !maniana_ocio facebook
> AD_informatico*, it denies the access but the browser shows a pop-up to
> login when someone visits facebook or other site that tries to connect
> to facebook. So, what happens?


 http_access deny ... AD_informatico

Is a line which requires authentication. If that authentication is
missing OR if the group does not match. The denial will request new
credentials (ie ones which might pass this rule).

> 
> Here is my squid.conf (a part of it):
> 
> ####################################################
> #*******************HELPERS para Active
> Directory**************************#
> ####################################################
> 
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --DOMAIN=DOMAIN
> auth_param ntlm children 30
> auth_param ntlm keep_alive off
> 
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Servidor proxy-cache de la DPR
> auth_param basic credentialsttl 2 hours
> 
> #---------------------------ACL Active Directory------------------------#
> external_acl_type Grupos_AD ttl=10 children=10 %LOGIN
> /usr/lib/squid3/ext_wbinfo_group_acl -d
> acl AD_informatico external Grupos_AD informatico
> 
> #--------------------Horarios de acceso --------------------------------#
> acl maniana_ocio time MTWHF 07:00-07:59
> acl tarde_ocio time MTWHF 13:00-13:59
> 
> #-----------------------Listado de paginas------------------------------#
> acl facebook_m url_regex -i "/etc/squid3/ACLs/pagFacebook"
> acl facebook_t url_regex -i "/etc/squid3/ACLs/pagFacebook"
> 
> ####################################################
> #*****************************Reglas***************************************#
> 
> ####################################################
> 
> acl auth proxy_auth REQUIRED
> http_access deny !auth
> http_access deny after_hours all
> 
> #-----------------------------Grupo
> *informatico*----------------------------#
> http_access allow maniana_ocio facebook_m AD_informatico
> http_access allow tarde_ocio facebook_t AD_informatico
> http_access allow AD_informatico
> 
> http_access deny all
> 
> One more question: when a I move a user from a group to another in
> Active Directory, how much time does squid need to know about that change?

With:
 external_acl_type Grupos_AD ... ttl=10 ...

10 seconds.


Amos

More information about the squid-users mailing list