> I thoght about this also, but it seemed to me as double work to > squid/squidGuard, as both will be then use the same list of users > (abt. 15000 here). What do you think, would this affect the > performance of the proxy?
Correct me if I am wrong, but it sounds like you are already doing authentication, and no matter what you do with squidGuard you will still be doing authentication. The information sent from Squid to squidGuard automatically includes the userid if one is available, even if squidGuard is not going to use it. I would say that from the Squid proxy's point of view, the amount of work is unchanged. squidGuard loads the userlist into memory at startup so the userid lookup on the fly is very fast. By setting it up this way you also are prepared if you should ever need to divide your users into different levels of access. You would simply define additional source groups and move the appropriate userids into those groups. > Is there no way to just say "all not authenticated users" ? Or am I > trying to do something stupid here? ;) You might want to read up on squid's redirector_access. I just re-read your original post. > ...we have users that can surf as they like... Does that mean "without any restrictions"? If so, I'm pretty sure you can accomplish this without squidGuard (strictly within squid acls). Rick > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Sunday, March 30, 2003 11:23 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Differentiating authenticated and non-authenticated users? > > > > Thanks Rick, > > I thoght about this also, but it seemed to me as double work to > squid/squidGuard, as both will be then use the same list of users (abt. > 15000 here). What do you think, would this affect the performance of the > proxy? > > Is there no way to just say "all not authenticated users" ? Or am I trying > to do something stupid here? ;) > > > Regards > Antti Vahalummukka > > ------------ > > > How can I set up two sets of rules for user that have authenticated > > and those who have not? > > > > In our environment we have users that can surf as they like and > > users that ara limited to small amount of usefull sites like banks > > etc. We call these sites open sites and they are defined for squid > > to be accessed without authentication. All other sites will ask for > > authentication. > > logdir /usr/local/squidGuard/log > dbhome /usr/local/squidGuard/db > > src authusers { > userlist filename > } > > dest porn { > domainlist porn/domains > urllist porn/urls > redirect http://yourserver.com/whatever > log blocked.log > } > > dest pornexp { > expressionlist porn/expressions > redirect http://yourserver.com/whatever > log blocked.log > } > . > other source groups > . > > dest opensites { > domainlist opensites/domains > urllist opensites/urls > } > > acl { > authusers { > pass opensites !porn !pornexp .... all > } > > default { > pass opensites none > redirect http://yourserver.com/whatever > log blocked.log > } > } > > --------------------------------- > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > [EMAIL PROTECTED] > > Sent: Sunday, March 30, 2003 6:56 AM > > To: [EMAIL PROTECTED] > > Subject: Differentiating authenticated and non-authenticated users? > > > > > > Hi > > > > I spent a day reading documents and FAQ and googling internet but no luck > > to this question: > > > > How can I set up two sets of rules for user that have authenticated and > > those who have not? > > > > In our environment we have users that can surf as they like and users > that > > ara limited to small amount of usefull sites like banks etc. We call > these > > sites open sites and they are defined for squid to be accessed without > > authentication. All other sites will ask for authentication. > > > > I tried to define it like this as the username shows up as - on those > users > > that have not authenticated: > > > > src opensiteusers { > > user - > > log opensiteusers.log > > } > > > > this causes squidGuard to go in the emergency mode because of a syntax > > error in the user line. > > > > > > I looked at the sources and patched the sgDiv.c file, parseLine function > to > > convert the "-" to "anon" > > and got it working: > > > > src opensiteusers { > > user anon > > log opensiteusers.log > > } > > > > , but is there an easier way? > > > > Also, it seems that usernames have a size limit, as I tried anonymous > > instead of anon first, but that also puts sG to emergency mode. Is this > > true and if it is true what is the limit? > > > > > > Regards > > Antti Vahalummukka > > > > > > > > > > > >
