I use squidGuard with the latest stable build of squid. I use squid with
NTLM authentication for users on my domain (using winbind/samba). I also
use the URL Blacklist service to get my blacklists for squidGuard.
In squidGuard here is what I want and for the most part how my config
is. I have the proxy server generate local files of usernames that it
gets from running a script that connects to the domain controllers,
queries a security group for its memebers. This runs ever x amount of
minutes. The result is a file that looks like this:
jdoh
msmith
nroberts
..etc
I have multiple files, each for a certain ACL i want to block on. So
lets say i have 2 files, called "CanUseWebmail" and
"CanUseInstantMessaging". Each file has a list of different users.
In squidGuard I define these as:
source CanUseWebmail {
userlist users/CanUseWebmail
}
source CanUseInstantMessaging {
userlist users/CanUseInstantMessaging
}
I also define my blacklists such as:
destination instantmessaging {
log instantmessaging
domainlist instantmessaging/domains
urllist instantmessaging/urls
}
destination webmail {
log webmail
domainlist webmail/domains
urllist webmail/urls
}
NOW, the part that i need help with. I create three ACL's that look like
the following:
acl {
CanUseWebmail {
pass mail webmail !instantmessaging all
redirect
http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
ser=%i&clientgroup=%s&url=%u&targetgroup=%t
}
CanUseInstantMessaging {
pass instantmessaging !mail !webmail all
redirect
http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
ser=%i&clientgroup=%s&url=%u&targetgroup=%t
}
default {
pass !instantmessaging !mail !webmail all
redirect
http://localhost/errors/aclerror.php?clientaddr=%a&clientname=%n&clientu
ser=%i&clientgroup=%s&url=%u&targetgroup=%t
}
}
However, if a member of the "CanUseInstantMessaging" is part of the
"CanUseWebmail" they are being denied access to the InstantMessaging one
because its triggering the "CanUseWebmail" first. How can I configure
squidGuard to look at each acl (in order?) and/or allow me to use
multiple groups to perform these functions.
Regards,
Nick
---------------------
Confidentiality note
The information in this email and any attachment may contain confidential and
proprietary information of VistaPrint and/or its affiliates and may be
privileged or otherwise protected from disclosure. If you are not the intended
recipient, you are hereby notified that any review, reliance or distribution by
others or forwarding without express permission is strictly prohibited and may
cause liability. In case you have received this message due to an error in
transmission, please notify the sender immediately and delete this email and
any attachment from your system.
---------------------
