[squid-users] whitelists and active directory help

Amos Jeffries squid3 at treenet.co.nz
Sat Jan 17 01:03:14 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/01/2015 7:15 a.m., Samuel Anderson wrote:
> Hello All,
> 
> I'm attempting to create way to grant users access to different
> categories using active directory. Currently what I have works but
> if a website is not listed in any of the whitelists it will allow
> traffic to that website. If I add a (http_access deny all) at the
> end, then nothing works. What I would like is for a user to only
> have access to whitlists that they are a member of. I'll have
> around 50 categories in the end. This is just a small sample.
> 
> Thanks,
> 

You have omitted it but if I assume you are using the usual
external_acl_type definitin with %LOGIN, then it actually returns 3
states; a match, non-match and missing-auth result.

The !group construction matches true for both of the later two
non-match and missing-auth results.

So your config below will deny any users access when they are still
un-authenticated in a way that prevents authentication.

> 
> acl NEWS external ldap_group NEWS acl SHOPPING external ldap_group
> SHOPPING acl SOCIALNETWORKING external ldap_group SOCIALNETWORKING 
> acl RELIGION external ldap_group RELIGION acl SPORTNEWS external
> ldap_group SPORTNEWS
> 
> acl rule1 url_regex -i "/etc/squid3/whitelists/news/domains" acl
> rule2 url_regex -i "/etc/squid3/whitelists/shopping/domains" acl
> rule3 url_regex -i
> "/etc/squid3/whitelists/socialnetworking/domains" acl rule4
> url_regex -i "/etc/squid3/whitelists/religion/domains" acl rule5
> url_regex -i "/etc/squid3/whitelists/sportnews/domains"
> 

If those are truely just domains use the dstdomain ACL type instead of
the dangerous and relatively slow url_regex.


You need to ensure valid auth credentials exist before doing anything
with !group.

  acl authed proxy_auth REQUIRED
  http_access deny !authed

> 
> http_access deny rule1 !NEWS all http_access deny rule2 !SHOPPING
> all http_access deny rule3 !SOCIALNETWORKING all http_access deny
> rule4 !RELIGION all http_access deny rule5 !SPORTNEWS all

and restrict the allow to some condition where you know exactly what
traffic is actually allowed. localnet is the usual ACL to permit
defined LAN clients.

> http_access allow all
> 


Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUubTRAAoJELJo5wb/XPRj4XQIAL7Ni3HDRjp8RyHoOoilRmRE
XGYHLSBIXCBvdi/J/snbff6XexDYrKDsX2Gy9dwXPGagwyZ52EU3f8OKi32HMZA5
1l7oKBLymulP1zJI8nljPVjZweoNjvHb6JFDTj6pxawZ/Ab9dbFCyZDIImfFqis8
wyxQWT4EzWwQNxV+G0tpTtH3QSrRNk8Q9WmDJ8+lEd9kulLJQWr1NIc1pf6b3Hh2
M5gR9SvmNDfy+RuoRZ/SfVSSdoXpEHWijvm2p3VbgoGjfdwKSmXLflm0aVT5nTPc
TCLp+ZGYEmx0hKdybFR5m5Ql+5MPrjANejpEuVmclXPT8MH6OsKQfvu8bVAGDxE=
=rqy3
-----END PGP SIGNATURE-----


More information about the squid-users mailing list