Re: [squid-users] auto blacklist users

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sat, 08 Dec 2007 12:49:35 +1300

ian j hart wrote:
> On Friday 07 December 2007 00:58:31 Adrian Chadd wrote:
>> So if I get this right, you'd like to log the acl list that passed or
>> failed the user?
>>
>>
>>
>> Adrian
>
> Near enough.
>
> I want to log the aclname (or custom error page name) and the username. I'll
> probably want the url in short order, followed by anything else that proves
> useful.
>
> I want to do this for users who are denied access.
>
> [The more general solution you state above would probably be okay too. I might
> need to add DENY/ACCEPT so I can include that in the regexp.]
>
> <tangent>
> Here's an example of how this might be generally useful. I have thee different
> proxy ACLs.
>
> A url_regexp
> A dstdomain list harvested from a popular list site
> A "daily" list gleaned from yesterdays access summary

Problem:
        If a student can get through all day today whats to stop them?
        Is the list going to be accumulative over all time? or just until
nobody is requesting the particular site?

>
> Which one matched? (This is where the url would be nice)

Which given the current squid code is why I pointed you at deny_info
which runs a script _at the point the request was made_ and will accept
the ACL and URL.

This gives you three benefits:

1) you can reset all student access again at the start of the day
  but block again _immediately_ when they start acting up.
If they learn to obey the rules they will retain their access to okay
sites. If not they are screwed.

2) lets you list the newly banned site on the error page itself to
warn/teach the students which URL will get them in trouble.
(they may not know whats newly on the list yet, and this saves you the
trouble of manually informing people)

3) lets you do almost anything you like when setting the allow/block
state. You control the script entirely.

>
> You can get this info by raising the log level, but not on one line, which
> makes parsing evil. And each file is more verbose too.
>
> [A "full monty" implementation would be a separate match.log file defaulting
> to "none"]
> </tangent>
>
> Here's part of client_side.c
>
> if (answer == ACCESS_ALLOWED) {
> ...
> } else {
> int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ...
> debug(33, 5) ("Access Denied: %s\n", http->uri);
> -> debug(33, 5) ("AclMatchedName = %s\n",
> AclMatchedName ? AclMatchedName : "<null>");
>
> That's half what I need straight away!
>
> The problem is that this is called more than once. e.g.
>

hmm, I'm guessing at your config here but It looks kinda like:

REQ ...youtube.com

> passwd
> blockproxies
(HIT http_access deny passwd blockproxies)
407 error. auth needed for this site.

REQ ... youtube.com (+ username & password)
> blockproxies
(HIT http_access deny passwd blockproxies)
404 error.

Thats two seperate requests. Normal sequence for basic auth.

>
> First one is the auth, second is the url match, and third is the error page (I
> think).
>
> I can easily _not match_ the passwd ACL, but If I'm counting 'strikes' it
> would be cleaner if blockproxies were logged just the once.
>
> And that's where I came in.
>
> Is there a better place for this, what should be a one liner. The error page
> is only returned once, right? Which Is why I thought somewhere near there
> would be about right. Just need a clue from someone who sees the whole
> picture.
>
> If you read this far, well done :)
>
> Thanks
>
Received on Fri Dec 07 2007 - 16:49:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST