[squid-users] https access only for few users
Simon Dcunha
simon at baladia.gov.kw
Thu Nov 9 19:36:11 UTC 2017
Dear Amos,
Million thanks for the immediate reply.
i will check it out and let you know
so sorry for being so silly
regards
simon
----- Original Message -----
From: "Amos Jeffries" <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Sent: Thursday, November 9, 2017 1:31:47 PM
Subject: Re: [squid-users] https access only for few users
On 09/11/17 23:03, Simon Dcunha wrote:
>
> Dear All,
>
> I have squid running with no issues for a long time and recently i have the below task.
> User access to internet is based on physical machine IP address acl so only user ips listed in the conf file have access to internet
>
> i need to allow access to only one site for some users and deny everything else. its a https site
> the site is https://mof-sc-site.custhelp.com/
>
> the users whos ips are listed in below acl should access the above site only and nothing else.
>
> so i have a access list as follows
>
> ----------------------------------------------------
> acl onesite src 172.16.52.23 172.16.6.121
> acl allowed_site url_regex "/etc/squid/site"
> http_access allow onesite allowed_site
> http_access deny onesite
> ------------------------------------------------------
>
> in /etc/squid/site i have
> ------------------
> .mof*
>
> Now when I try to access the above site it says page cannot be displayed and in the squid access.log i see the below
> --------------
> 1510224319.009 0 172.16.6.121 TCP_DENIED/403 4201 CONNECT mof-sc-site.custhelp.com:443 - HIER_NONE/- text/html
>
>
> but if I try to access http://www.mof.gov.kw the home page is displayed and works fine
>
> appreciate your advice and help
>
You are a) using the wrong tool [regex] for the job of matching a single
*domain*, and b) using regex VERY VERY badly.
Your regex says any URL in existence that contains _any_ single
character followed by 'm' then 'o' is a match for the ACL - thus is
allowed to the "onesite" client(s). The 'f' being optional (the *) and
at the end of the pattern means it does not matter at all for the
matching and may as well not exist.
What you should be doing is using an ACL type that matches domain names
and telling it the domain that you want to match:
acl allowed_site dstdomain mof-sc-site.custhelp.com
The rest of your config snippet was correct for what you want to do.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
---------
Network Administrator
Kuwait Municipality!!!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the squid-users
mailing list