Julien P. wrote:
> Hi everyone,
> I'm having some troubles to understand how the acl process is working.
>
> I'm trying to link a mySQL database to my squid in order to allow me
> to setup some specific access rights according to some specific users
> from different places to different websites.
>
> What I did is an acl that will check the domain and the source_ip
> external_acl_type ExternalisBad ttl=20 %SRC %DST /etc/squid3/external_bad
> acl isBad external ExternalisBad
>
> And I also created my own auth_param block
>
> auth_param basic program /etc/squid3/sql_auth
> auth_param basic children 20
> auth_param basic realm Username and password
> auth_param basic credentialsttl 1 minute
>
You forgot to mention this bit of the config:
acl sql_auth proxy_auth REQUIRED
> Now, when someone's trying to to access a website, this is what I do
> http_access allow sql_auth isBad
>
> It is working, but the thing is: it doesn't care about if the username
> is linked to the %SRC Ip or not... So basically, if you have are
> registered with full access rights in another place, you will be able
> to access to all the content even if you're access is supposed to be
> denied. Does that make sense ?
Yes it make sense. The ACL rules do not (yet) state the full conditions
though.
The above rule states only if the user can login and also if IP +
destination domain are paired. No specific three-way link.
>
> I added the %IDENT to the externcal_acl_type rule. Since the sql_auth
> process is called before I was thinking that maybe the %IDENT would be
> stored somewhere somehow and be accessible in the isBad acl right
> away...
>
> external_acl_type ExternalisBad ttl=20 %SRC %IDENT %DST /etc/squid3/external_bad
>
> Apparently this is not working.
Yes not working. %IDENT is the result of the IDENT protocol lookup.
You are wanting %LOGIN, which is the result of the proxy authentication
(aka login).
>
> Does any one have any idea on how to do what I want to do ?
You have the approach right. Just not the right tag. Make the above
change and it should work just fine.
>
> If you want me to be more specific, let me know!
>
> Thank you so much Guys,
> Julien
>
> PS:
> debian:/squid3 -v
> Squid Cache: Version 3.0.STABLE8
Um, please use STABLE13+ as soon as possible. Major security risks in
earlier releases.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15 Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1Received on Tue Jun 02 2009 - 09:48:38 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 02 2009 - 12:00:01 MDT