Thanks a lot Amos.... its working fine now... Alhamdulillahhh - -- --- Always try to find truth!!! ------------***---------------***--------------***------------ Its always nice to know that people with no understanding of technologies want to evaluate technical professionals based on their own lack of knowledge ------------***---------------***--------------***------------ --- On Wed, 3/25/09, Amos Jeffries <squ...@treenet.co.nz> wrote: > From: Amos Jeffries <squ...@treenet.co.nz> > Subject: Re: [squid-users] Limitting particular group to specific sites > (not working perfectly) > To: "Truth Seeker" <truth_seeker_3...@yahoo.com> > Cc: "Amos Jeffries" <squ...@treenet.co.nz> > Date: Wednesday, March 25, 2009, 11:03 PM > > > > > > - > > -- > > --- > > Always try to find truth!!! > > > > > ------------***---------------***--------------***------------ > > > > Its always nice to know that people with no > understanding of technologies > > want to evaluate technical professionals based on > their own lack of > > knowledge > > > > > ------------***---------------***--------------***------------ > > > > > > --- On Wed, 3/25/09, Amos Jeffries <squ...@treenet.co.nz> > wrote: > > > >> From: Amos Jeffries <squ...@treenet.co.nz> > >> Subject: Re: [squid-users] Limitting particular > group to specific sites > >> (not working perfectly) > >> To: "Truth Seeker" <truth_seeker_3...@yahoo.com> > >> Cc: "Squid maillist" <squid-users@squid-cache.org> > >> Date: Wednesday, March 25, 2009, 11:16 AM > >> Truth Seeker wrote: > >> > > >> > In my squid.conf, i am trying to grant access > ONLY to > >> a set of predefined sites for a group of users > (those who > >> are member of limitedsurfers). They are not > allowed to > >> access any other thing from the Internet. The > following is > >> the acl which i created > >> > All my other rules are working > perfectly... > >> > > >> > Squid Version: 2.6 Stable > >> > >> Sigh. Thanks a lot for trying, but ... there are > 21 > >> different official "2.6 stable" and quite a lot > of > >> semi-official patched "2.6 stable". All of them > obsolete. > >> > >> Which one do you mean? > > > > squid-2.6.STABLE6-5 > > > >> > >> > OS: CentOS 5.2 > >> > > >> > First from authentication rule; > >> > auth_param basic program > /usr/lib/squid/pam_auth > >> > external_acl_type unix_group %LOGIN > >> /usr/lib/squid/squid_unix_group > >> > acl limited_surfers_acl external unix_group > >> limitedsurfers > >> > > >> > > >> > Then the particular acl; > >> > acl limited_sites dstdomain > >> "/etc/squid/include-files/limited_site.squid" > >> > >> > http_access allow limited_surfers_acl > limited_sites > >> > >> requires password THEN checks where user is > going.... > > > > Every user should authenticate with a valid user/pass, > then based on their > > group membership, they will have separate previleges > or wrights. Example, > > limitedsurfers is only allowed to browser pre-defined > sites, vipbrowser > > can go to all sites, surfers can go to all sites, but > limitation in their > > downloading to 2MB per object, and time based > restriction for news sites, > > sports sites, etc. > > > > > >> > >> > http_access deny limited_surfers_acl > >> > >> requires password and denies on success. !?! > > > > As i mentioned, even after the success password, as he > is a member of > > limitedsurfers, he is only allowed to browse the > dstdomain mentioned in > > the /etc/squid/include-files/limited_sites.squid file > > > > So any other access should be BLOCKED and must issue > the > > ERR_LIMITED_SURFERS pag, which i was trying to do with > the following; > > > > http_access deny limited_surfers_acl > > deny_info ERR_LIMITED_SURFERS limited_surfers_acl > > > > Ah, but since limited_surfers_acl is a login ACL. It sends > back > 'unauthorized please login again' headers to cause the > browser to create a > login popup.... > > > What I think you want is a sequence like this: > > acl limited_surfers_acl external unix_group limitedsurfers > acl limited_sites dstdomain > "/etc/squid/include-files/limited_site.squid" > > > ## If the auth popup disappears completely. > ## then uncomment this following bit: > ## cause people to always login... > # acl login proxy_auth REQUIRED > # http_access deny !login > > > # deny with a custom message if they are going wrong... > deny_info ERR_LIMITED_SURFERS limited_sites > http_access deny limited_surfers_acl !limited_sites > > # allow access to limited_sites if they are okay... > http_access allow limited_sites limited_surfers_acl > > # followup security blankets ... > http_access deny all > > Amos > > > > >> > >> do you have a '!' on the IP address line you says > works > >> perfectly? > > > > The following is the rule which i injected for the IP > based; > > > > ### Violators IP > > acl violators_ip src > "/etc/squid/include-files/violators_ip.squid" > > > > > > ### Only Allowing Certain Sites for VIOLATORS > > acl violators_sites dstdomain > > "/etc/squid/include-files/violators_site.squid" > > http_access allow violators_ip violators_sites > > http_access deny violators_ip > > deny_info ERR_VIOLATORS_IP violators_ip > > > > > > So, my idea is, according to the squid log's which i > am processing through > > webalizer, the users who is trying too much to violate > our policy, like > > using proxy sites, we will put their IP in the > violators_ip.squid file > > which will end up in a tighter surfing rules with the > above mentioned > > rule. > > > > This is working as i wish... but the user based for > limited surfers is not > > working without Giving the username and password for > three times.. for the > > Success request it is working with just 1 time > username and password. > > > > > > According to my understanding what i put for limited > browsers is correct. > > But why it is not working correctly? i dont understand > about it??? > > > >> > >> > >> > deny_info ERR_LIMITED_SURFERS > limited_surfers_acl > >> > > >> > > >> > Now the situation is; > >> > It is perfectly granting access to the sited > listed in > >> the limited_site.squid file > >> > > >> > But when i try to access some other site, it > will ask > >> the username/password for 3 times (even when we > give the > >> correct username/pass) then only it is denying the > request. > >> > > >> > Why it is happening so? > >> > > >> > I have almost the same kind of rule like this > for a > >> particular list of IP's instead of users. That is > working > >> perfect for allowing and denying. > >> > > >> > Can anybody help me in this case... > >> > > >> > Thanks in Advance... > >> > > >> > >> Amos > >> -- Please be using > >> Current Stable Squid 2.7.STABLE6 > or 3.0.STABLE13 > >> Current Beta Squid 3.1.0.6 > > > > > > Things are running on Live environment. Will it be a > issue while switching > > from 2.6 to 2.7 ??? > > > > > > > >> > > > > > > > > > > > > >
