Re: [squid-users] Priblem with ACL -max_user_ip & deny_info

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 02 Jan 2003 19:51:08 +0100

How do you want to differentiate the two groups? By login names or by IP
addresses?

If one group is differentiated by their IP address, should they still be
required to log in?

Regards
Henrik

Abdul-Azeez wrote:
>
> Hi Henrik,
>
> What I really want to do is this:
> I have a group of users called "imsd-users" whom I want to be able to login
> during office hours, so I authenticate them using proxy_auth;
>
> All other users that attempt to login during office hours are disallowed and
> see a custom mesage which I have defined;
>
> I want to discourage imsd-users from sharing their passwords (or logging in
> from
> from more than one PC) so I use the "max_user_ip -s" ACL; and
>
> I want imsd-users that attempt to login from more than one PC to
> see another custom message which I have defined .
>
> Regards
> Abdul
>
> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@squid-cache.org>
> To: "Abdul-Azeez" <azeez@citizensbankng.com>
> Cc: <squid-users@squid-cache.org>
> Sent: Thursday, January 02, 2003 3:00 PM
> Subject: Re: [squid-users] Priblem with ACL -max_user_ip & deny_info
>
> > Hmm.. can you please describe in detail what it is you are trying to do.
> > You seem to be using a mix of authentication and IP based acls.
> >
> > Regards
> > Henrik
> >
> >
> > Abdul-Azeez wrote:
> > >
> > > Hi Henrik,
> > >
> > > thanks, I tried your suggestion ie
> > > "http_access deny imsd-users multiple-login-normal"
> > >
> > > But I am now being CONSTANTLY denied access and the following lines are
> > > written to
> > > my cache.access file.
> > >
> > > 2002/12/31 17:34:30| The request GET http://www.yahoo.com/ is DENIED,
> > > because it
> > >
> > > matched 'imsd-users'
> > >
> > > 2002/12/31 17:34:30| The reply for GET http://www.yahoo.com/ is ALLOWED,
> > > because
> > >
> > > it matched 'all'
> > >
> > > 2002/12/31 17:34:34| The request GET http://www.yahoo.com/ is DENIED,
> > > because it
> > >
> > > matched 'all-cib-staff'
> > >
> > > 2002/12/31 17:34:34| The reply for GET http://www.yahoo.com/ is ALLOWED,
> > > because
> > >
> > > it matched 'all'
> > >
> > > abdul
> > >
> > > ----- Original Message -----
> > >
> > > From: "Henrik Nordstrom" <hno@squid-cache.org>
> > > To: "Abdul-Azeez" <azeez@citizensbankng.com>
> > > Cc: <squid-users@squid-cache.org>
> > > Sent: Tuesday, December 31, 2002 1:57 PM
> > > Subject: Re: [squid-users] Priblem with ACL -max_user_ip & deny_info
> > >
> > > > This is because max_user_ip requires the user to log in in order to
> > > > identify the user, so when the user is required to log in the acl who
> > > > denied them access anonymously was "multiple-login-normal".
> > > >
> > > > You should be able to use
> > > >
> > > > http_access deny imsd-users multiple-login-normal
> > > >
> > > > to get around this.
> > > >
> > > > Regards
> > > > Henrik
> > > >
> > > > Abdul-Azeez wrote:
> > > > >
> > > > > Hi all ,
> > > > > I am running squid2.5 STABLE1. and I use proxy_auth to authenticate
> my
> > > > > users.
> > > > > I also used the "max_user_ip -s" to limit login from more than one
> > > computer
> > > > > and this work's well. I want users who attempt to break this second
> rule
> > > > > to see a custom message but it seems to work funnily.
> > > > >
> > > > > The custom message is now displayed both when a user enters a wrong
> > > password
> > > > > (or
> > > > > none at all) and when multiple login is attempted from 2 PCs.
> > > > > Part of my ACL are shown below
> > > > > .
> > > > > acl multiple-login-normal max_user_ip -s 1 # max no. of login by
> user
> > > from
> > > > > diff. IP addresses
> > > > > .
> > > > > acl all-cib-staff src 128.1.0.0/16 #all users in the in CIB
> > > > > .
> > > > > acl imsd-users proxy_auth REQUIRED # users in systems dept.
> > > > > .
> > > > > acl working-hours time MTWHF 08:00-17:00 # official bank working
> hours
> > > > > .
> > > > > .
> > > > > deny_info mult-log-normal multiple-login-normal
> > > > > http_access deny multiple-login-normal
> > > > > http_access allow all-cib-staff !working-hours
> > > > > http_access allow imsd-users
> > > > > http_access deny all-cib-staff
> > > > > .
> > > > >
> > > > > Can someone please tell me what I am doing wrong? Or suggest better
> > > > > ACL lines to implement my plan.
> > > > >
> > > > > Abdul
> > > >
> >
Received on Thu Jan 02 2003 - 12:34:14 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:25 MST