Indunil Jayasooriya wrote:
> Hi ,
>
> I am now running squid with ncsa_auth.
>
> I have bound ip addresses to usernames. So users now can access
> Internet from their ips.
>
> Now I want a few users to prevent from accessing all the sites. But
> Instead, I want them to allow to access a few sites scuh as
> google.com,cnn.com ,bbc.com. I want to limit in that way.
>
> I have wriiten below rules. But those users still can access all the
> sites.
>
> external_acl_type ip_user %SRC %LOGIN %DST
> /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
>
> acl ncsa_users proxy_auth REQUIRED
> acl ip_users external ip_user %SRC %LOGIN %DST
>
> http_access deny !ncsa_users
> http_access deny !ip_users
> http_access allow ip_users
> http_access allow ncsa_users
>
> my ip.conf file is like this.
> [root@worldnet squid]# cat /etc/squid/ip.conf
> 192.168.101.25 indunil .google.com .bbc.com .cnn.com
> 192.168.101.90 www90
>
> Accoring to the above file, User indunil with ip address
> 192.168.101.25 has access to google.com,bbc.com and cnn.com.
> But the user indunil of ip address 192.168.101.25 still has access to
> all the sites.
>
> I want ip address 192.168.101.25 to allow above urls.
>
> How can I solve this?
>
From the ip_user_check README:
It works by reading a pair composed by an ip address and an username
on STDIN and matching it against a configuration file.
...
If the program finds a matching username/ip in the configuration file,
it returns `OK', or `ERR' otherwise.
Nothing in there about limiting what sites said username can access, as
it was designed to limit the pairing of authentication and IP
(preventing the a specific login from being used from certain computers).
To do what you want...
# Define our network
acl our_networks src 192.168.101/24
# ACL that matches indunil's authentication credentials
acl indunil AUTH indunil
# ACL that matches indunil's limited IP
acl IP25 src 192.168.101.25
# ACL that limit's indunil's surfing destinations
acl indunilSiteList dstdomain .google.com .bbc.com .cnn.com
...
# Allow access to certain sites for indunil on specific IP
http_access allow indunil IP25 indunilSiteList
# Deny any other access for indunil from 192.168.101.25
http_access deny indunil IP25
...
http_access allow our_networks
http_access deny all
Salt to taste. Creating a script to parse the file you have created
(and allow or deny appropriately) would certainly be possible (and quite
a bit more flexible). I haven't the time at the moment, but it is an
intriguing problem.
Chris
Received on Tue Mar 27 2007 - 12:45:18 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:02 MDT