Re: [squid-users] "Complex" acl process - Many Ips, many different places, many logins, and many websites ...

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 02 Jun 2009 21:48:29 +1200

Julien P. wrote:
> Hi everyone,
> I'm having some troubles to understand how the acl process is working.
>
> I'm trying to link a mySQL database to my squid in order to allow me
> to setup some specific access rights according to some specific users
> from different places to different websites.
>
> What I did is an acl that will check the domain and the source_ip
> external_acl_type ExternalisBad ttl=20 %SRC %DST /etc/squid3/external_bad
> acl isBad external ExternalisBad
>
> And I also created my own auth_param block
>
> auth_param basic program /etc/squid3/sql_auth
> auth_param basic children 20
> auth_param basic realm Username and password
> auth_param basic credentialsttl 1 minute
>

You forgot to mention this bit of the config:
   acl sql_auth proxy_auth REQUIRED

> Now, when someone's trying to to access a website, this is what I do
> http_access allow sql_auth isBad
>
> It is working, but the thing is: it doesn't care about if the username
> is linked to the %SRC Ip or not... So basically, if you have are
> registered with full access rights in another place, you will be able
> to access to all the content even if you're access is supposed to be
> denied. Does that make sense ?

Yes it make sense. The ACL rules do not (yet) state the full conditions
though.

The above rule states only if the user can login and also if IP +
destination domain are paired. No specific three-way link.

>
> I added the %IDENT to the externcal_acl_type rule. Since the sql_auth
> process is called before I was thinking that maybe the %IDENT would be
> stored somewhere somehow and be accessible in the isBad acl right
> away...
>
> external_acl_type ExternalisBad ttl=20 %SRC %IDENT %DST /etc/squid3/external_bad
>
> Apparently this is not working.

Yes not working. %IDENT is the result of the IDENT protocol lookup.

You are wanting %LOGIN, which is the result of the proxy authentication
(aka login).

>
> Does any one have any idea on how to do what I want to do ?

You have the approach right. Just not the right tag. Make the above
change and it should work just fine.

>
> If you want me to be more specific, let me know!
>
> Thank you so much Guys,
> Julien
>
> PS:
> debian:/squid3 -v
> Squid Cache: Version 3.0.STABLE8

Um, please use STABLE13+ as soon as possible. Major security risks in
earlier releases.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.8 or 3.0.STABLE16-RC1
Received on Tue Jun 02 2009 - 09:48:38 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 02 2009 - 12:00:01 MDT