Michael Gens wrote: > There is no "emergency mode" entry in the log file. > > ... user names that you are expecting: yes > > ... requestor's ip as you are expecting: yes > > ... as a transparent proxy: no
Good, we can check those off the list. > If a (new) URL site has to be opend PAM aways asks for the user name > (so often?). There is a parameter in squid.conf that specifies how long squid should cache the approved username/password combination: # TAG: authenticate_ttl # The time a checked username/password combination remains cached. # If a wrong password is given for a cached user, the user gets # removed from the username/password cache forcing a revalidation. # #Default: # authenticate_ttl 1 hour > I varied the contents of /etc/squidguard.conf > > from everything is allowed for everybody to nothing is allowed. > > But only "everything is allowed" worked. > > I thought I made all right after reading "squid - guard configuration" > by P. Baltzersen: > > > Now I am completely confused. I am surprised that it is so difficult > to configure. > > I attached some files to show what I configured and how squidguard > logged it. (With comment lines of mine). One correction - You didn't send me any files that contain squidGuard log entries. The entries in access.log are written by Squid. [Comment about squidguard.conf.block2] Your dbhome statement does not point to dbhome. Based on your destination definitions your dbhome would be '/var/squidGuard'. With the correct dbhome statement you could define your destination files relative to dbhome: domainlist blacklists/porn/domains domainlist blacklists.de/porn/domains This is not causing a problem for you today, but it could create problems in the future. [Concerning access.log file and your comments] > with file squidguard.conf.block2 as user n3: > ... 56 <my IP> TCP_DENIED/407 1362 GET http://www.intel.de/ - NONE/- - The 'TCP_DENIED' indicates that squid has denied the transaction (as opposed to it being denied by a helper program or by the requested site). The 407 indicates '407 Proxy Authentication Required'. > with file squidguard.conf.blockAll as user n3: > ... 10 <my IP> TCP_DENIED/407 1368 GET http://squidguard.org/ - NONE/- - This transaction is also being blocked by squid for '407 Proxy Authentication Required' Both of these were denied by Squid ACL; squidGuard never even had an opportunity to comment on the matter. It should be easy to identify when you have been denied by squidGuard, as you will have been redirected as specified in your configuration file. I'd recommend you verify your acls for authorization in squid.conf. Rick Matthews > > Hope it is not too much. > > Thank you in advance again. > -----Original Message----- > From: gens [mailto:gens]On Behalf Of Michael Gens > Sent: Monday, November 18, 2002 2:05 AM > To: Rick Matthews > Cc: [EMAIL PROTECTED] > Subject: Re: userlist does not work? > > > Rick Matthews wrote: > > > > If something is seriously wrong, squidGuard will go into emergency > > mode and pass all. What entries are being logged to squidGuard.log? > > > > Your problem may be solved with the answer to that first question, > > but I'll include a few more thoughts just in case it isn't. > > > > I realize that the information that you posted from you config file > > is not complete, but I don't want to make assumptions. You don't show > > any redirects, for example, and it's important that you have a > > redirect with each acl statement that ends with 'none' (at a minimum). > > I don't know if your time constraints are set up properly. It would > > help if you'd post a more complete version of your config file. > > > > Does squid's access.log show the user names that you are expecting? > > > > Does squid's access.log show the requestor's ip as you are expecting? > > > > Is squid set up as a transparent proxy? > > > > I don't know if any of your users are listed in multiple userlists, > > but remember that they will always be included in the first source > > group that they match. > > > > I don't know if the ip/8 groups are different for grownups and kids, > > but if so, grownups at kids ips will process by the default acl. The > > same is true for kids at grownup ips. > > > > That should be enough to get you started. ;) > > > > Rick Matthews > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Gens > > > Sent: Friday, November 15, 2002 1:44 AM > > > To: [EMAIL PROTECTED] > > > Subject: userlist does not work? > > > > > > > > > Hello! > > > > > > I use squid and squidguard from SuSE 8.1 in combination > > > with PAM authentication. > > > > > > Works fine, so far. With one exception: > > > > > > In /etc/squidguard.conf I defined the using of userlist: > > > > > > ... > > > > > > src adults { > > > userlist /var/squidGuard/access/adult > > > } > > > > > > src grownups { > > > ip <private IP>/8 > > > # AND > > > userlist /var/squidGuard/access/grownup # ident grownups > > > } > > > > > > src kids { > > > ip <private IP>/8 > > > userlist /var/squidGuard/access/kid # ident kids > > > } > > > > > > ... > > > > > > acl { > > > adults { > > > pass all > > > } > > > grownups within work-time-g { > > > pass !blacklists all > > > } else { > > > pass none > > > } > > > > > > kids within work-time-k { > > > pass !blacklists all > > > } else { > > > pass none > > > } > > > > > > default { > > > pass none > > > } > > > } > > > > > > > > > In /var/squidGuard/access/<file> > > > > > > the (squid / squidguard - PC known) usernames are listed like this: > > > > > > frank > > > jim > > > > > > > > > > > > Inspite of correct authentication it does not work! > > > > > > If a user of userlist e.g. grownup is accessing a blacklisted URL > > > like www.sex.com the site is shown. > > > > > > Did I misunderstood something? What is wrong?? > > > > > > Can anybody help?? > > > > > > Thank you for your help in advance!! > > > > > > > > > > > > -- > > > Rgds. > > > > > > > > > > > > _ # Michael # _ > > > > > Hi Rick: > > There is no "emergency mode" entry in the log file. > > ... user names that you are expecting: yes > > ... requestor's ip as you are expecting: yes > > ... as a transparent proxy: no > > If a (new) URL site has to be opend PAM aways asks for the user name > (so often?). > > I varied the contents of /etc/squidguard.conf > > from everything is allowed for everybody to nothing is allowed. > > But only "everything is allowed" worked. > > I thought I made all right after reading "squid - guard configuration" > by P. Baltzersen: > > > Now I am completely confused. I am surprised that it is so difficult > to configure. > > I attached some files to show what I configured and how squidguard > logged it. (With comment lines of mine). > > Hope it is not too much. > > Thank you in advance again. > > -- > Rgds. > > > > _ # Michael # _
