[squid-users] ACL block_user List

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Mar 5 09:15:44 UTC 2025 

On 04.03.25 21:42, Piana, Josh wrote:
> I apologize to show one issue, but now reference another.  We decided to 
> not use the "block_user" list as it’s a bit dated.  A similar issue is 
> happening now with our "mmedia_users" list.  It just doesn't seem to work 
> the way its intended.
>
> Users on this list are supposed to be allowed special access to sites we 
> typically block.  Such as Youtube, Reddit, Facebook, etc.  Well as of 
> right now, any changes made to the list don't seem to impact the user 
> having access to those sites or not.
>
>Here's how we have it written:
>
># these override the general blacklists by explicitly allowing things
># exempts users from content blocking in this list
>acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
>
># allow exempted users to the sites in this list
>acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
>
># allow mmedia user to access a mmedia site, via appropriate protocols
>http_access allow mmedia_sites mmedia_users
>
>So if the user is on the "mmedia_users" list, they can access sites that are a part of the "mmedia_sites" list.

And, what is the problem?
I see one possible - you aren't blocking anyone here.
In that case you need to append something like:

http_access deny mmedia_sites 

or perhaps:

http_access deny mmedia_sites !mmedia_users
deny_info http://<explanation> mmedia_users



>On 1/03/25 03:54, Piana, Josh wrote:
>> I am attempting to setup an ACL block list based on usernames from a
>> windows AD environment.
>>
>> When I have this added to my squid.conf file, all outbound connections
>> stop working:
>>
>> acl block_user proxy_auth_regex -i "/etc/squid/block_user"
>>
>> http_access deny block_user
>>
>> I have also tried “!block_user”.

>From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
> Was that "NOT MATCHING block_user" condition used with allow or deny action?
>
> What prior or followup http_access lines are processed when that ACL check results in "need login" due to lack of username value?

>> As you can see, I have it set so if a Windows username is on the
>> “block_user” list, Squid will deny internet access to that user.
>> Unfortunately, this doesn’t work in practice. I have a working
>> Kerberos back-end setup, handling authentication. What am I doing
>> wrong with this setup?

> 1) The block_user ACL you have defined is a Regular Expression test against 
> the username, not a check of the exact username.  So you need to be very 
> careful of the specific regex patterns you are using.
>
> (If you want me to check validity, you can post to be directly here, do not 
> post actual value to this public list).
>
> 2) The block_user ACL implicitly requires authentication to have been 
> performed before it can perform its check.  Check your auth_param 
> settings, and prior proxy_auth type ACL that perform the login.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

More information about the squid-users mailing list