Re: [squid-users] ACLs and localhost

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 26 Mar 2008 11:04:58 +1300

paul cooper wrote:
> so is what i want to do actually possible ?

If I understand your intentions correctly yes it is:

   http_access deny !Safe_ports
   http_access emma weekends
   http_access andrew
   http_access deny

non-safe port access denied
emma only logging in on weekends, not accepted otherwise.
andrew logging in anytime.
nobody else allowed.

>
> unixlogin emma logged into VT7
> unixlogin andrew -> VT8
>
> web page request from either -> squid requests login
>
> if its emma & !testing -> access denied
> if its emma & testing -> access allowed
>
> switch to VT8 ( andrews desktop)
> web page request -> squid requests login
> if its andrew -> access allowed
> if its emma && !testing (eg kids messing around) -> access denied
>
>
>
> hepworth squid # grep ^auth_param /etc/squid/squid.conf
> auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/htpasswd
> hepworth squid # grep ^acl /etc/squid/squid.conf | grep -v '#'
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl andrew proxy_auth REQUIRED
> acl emma proxy_auth REQUIRED
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
> acl testing time MTWHF 07:30-08:00
> hepworth squid # grep ^http /etc/squid/squid.conf | grep -v '#'
> http_port 3128
> http_access allow emma testing
> http_access allow andrew
> http_access deny all
> hepworth squid #
>
>
> 008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found
> 2008/03/25 15:04:03| aclMatchAclList: returning 1
> 2008/03/25 15:04:03| aclCheck: checking 'http_access allow emma testing'
> 2008/03/25 15:04:03| aclMatchAclList: checking emma
> 2008/03/25 15:04:03| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
> 2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7cc8'
> 2008/03/25 15:04:03| aclMatchAclList: checking testing
> 2008/03/25 15:04:03| aclMatchAcl: checking 'acl testing time MTWHF
> 07:30-08:00'
> 2008/03/25 15:04:03| aclMatchTime: checking 904 in 450-480, weekbits=3e
> 2008/03/25 15:04:03| aclMatchAclList: no match, returning 0
> 2008/03/25 15:04:03| aclCheck: checking 'http_access allow andrew '
> 2008/03/25 15:04:03| aclMatchAclList: checking andrew
> 2008/03/25 15:04:03| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED'
> 2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7d38'
>
> but i havent AFAIK logged in , in this browser session, as andrew ( the
> browser cache is flushed when its closed
>
> so is this login stored in the cache somewhere ?
> I need to flush the cache when i change user ?
>
>
> 2008/03/25 15:04:03| aclMatchAclList: returning 1
> 2008/03/25 15:04:03| aclCheck: match found, returning 1
> 2008/03/25 15:04:03| aclCheckCallback: answer=1
> 2008/03/25 15:04:03| The request GET http://grolma.no-ip.org/favicon.ico
> is ALLOWED, because it matched 'andrew'
> 2008/03/25 15:04:03| aclCheck: checking 'cache deny QUERY'
> 2008/03/25 15:04:03| aclMatchAclList: checking QUERY
> 2008/03/25 15:04:03| aclMatchAcl: checking 'acl QUERY urlpath_regex
> cgi-bin \?'
> 2008/03/25 15:04:03| aclMatchRegex: checking '/favicon.ico'
> 2008/03/25 15:04:03| aclMatchRegex: looking for 'cgi-bin'
> 2008/03/25 15:04:03| aclMatchRegex: looking for '\?'
> 2008/03/25 15:04:03| aclMatchAclList: no match, returning 0
> 2008/03/25 15:04:03| aclCheck: NO match found, returning 1
> 2008/03/25 15:04:03| aclCheckCallback: answer=1
> 2008/03/25 15:04:03| aclCheckFast: list: 0x8481608
> 2008/03/25 15:04:03| aclMatchAclList: checking all
> 2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found
> 2008/03/25 15:04:03| aclMatchAclList: returning 1
> 2008/03/25 15:04:03| aclCheck: checking 'http_reply_access allow all'
> 2008/03/25 15:04:03| aclMatchAclList: checking all
> 2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found
> 2008/03/25 15:04:03| aclMatchAclList: returning 1
> 2008/03/25 15:04:03| aclCheck: match found, returning 1
> 2008/03/25 15:04:03| aclCheckCallback: answer=1
> 2008/03/25 15:04:03| The reply for GET http://grolma.no-ip.org/favicon.ico
> is ALLOWED, because it matched 'all'
>
>
>

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Tue Mar 25 2008 - 16:04:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT