LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-07-2005, 06:33 AM   #1
alan.belizario
LQ Newbie
 
Registered: Mar 2005
Location: Philippines
Posts: 13

Rep: Reputation: 0
block specific users in squid


Is there any way of denying specific users in squid from accessing blocked sites? Just like an isa server.

Thanks
 
Old 09-07-2005, 07:17 AM   #2
cardy
Member
 
Registered: Jan 2005
Location: Shropshire, England, UK
Distribution: RedHat, Fedora, CentOS..........
Posts: 121

Rep: Reputation: 19
There are ways to do this using the acl functions of the webcache, for example

Configure the auth_param to setup user authentication.

auth_param basic program /usr/bin/verifyusers
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server

the program /usr/bin/verifyusers needs to verify the username and password and return OK or ERR
it can be anywhere so long as squid has appropriate rights to run it and preform the authentication.


assuming you have an acl which contains your blocked sites in the example below there are 2 types of blocked sites one by domain and one by regular expression match. The third line creates a rule called allusers that says all users must be authenticated. The last ACL defines a rule called restrictedusers for usernames listed in the file /etc/squid/restrictedusers


acl blocked dstdomain baddomain.com
acl regexblock url_regex -i "/etc/squid/tcat-config/regexblock-sites"
acl allusers proxy_auth REQUIRED
acl restrictedusers proxy_auth "/etc/squid/restrictedusers"

# Although all of these rules have been created they have not been applied, they are applied in the http_access
# commands.

http_access deny restrictedusers blocked
http_access deny restrictedusers regexblock
http_access allow allusers
http_access deny all


# The first line says deny access to users who are in restricted users and who are accessing a blocked site
# The second the same as the first but for the blocked sites matched by a regular expression
# The third allow all users so long as they pass authentication
# the fourth deny any other requests.

# The http_access rules fall through so if the user does not match all the entires on the first http_access the system # falls through to the next and so on.

Hope this is of use
 
Old 09-08-2005, 02:27 AM   #3
alan.belizario
LQ Newbie
 
Registered: Mar 2005
Location: Philippines
Posts: 13

Original Poster
Rep: Reputation: 0
is the verifyusers the same like htaccess?
i got the following error acl priv_auth proxy_auth REQUIRED because no authentication schemes are completed.
why is this?

thanks for your help
 
Old 09-09-2005, 04:54 AM   #4
cardy
Member
 
Registered: Jan 2005
Location: Shropshire, England, UK
Distribution: RedHat, Fedora, CentOS..........
Posts: 121

Rep: Reputation: 19
The verifyusers is a program that accepts a username and password and verifies it somehow and then outputs either OK or ERR.

You may find a number of programs have been provided with your distribution have a look in

Code:
/usr/lib/squid

The following are all programs you can use as the authenticator program. 
getpwname_auth
ntlm_auth
smb_auth
squid_ldap_auth
yp_auth
msnt_auth
pam_auth
smb_auth.pl
wb_auth
ncsa_auth
sasl_auth
smb_auth.sh
wb_ntlmauth
The ncsa_auth program is based around the same format as the .htpassword files.

I think the error you are getting is basically saying you MUST have the authenticator program configured and working before you can use proxy_auth.

If you create a .htpasswd file you could then do.

Code:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/my-htpassword-format-file
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
 
Old 09-09-2005, 11:43 PM   #5
alan.belizario
LQ Newbie
 
Registered: Mar 2005
Location: Philippines
Posts: 13

Original Poster
Rep: Reputation: 0
I have a problem when I configure squid.conf to use ncsa squid won't start. why is that?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to make a specific command(s) work for specific users or group only naren_0101bits Linux - General 3 08-28-2005 05:22 PM
allow specific ip to browse the block site space_beyond Linux - Newbie 1 06-03-2005 09:15 AM
How to block specific IPs? cranium2004 Linux - Networking 3 04-01-2005 09:02 AM
block specific ip addresses paperdiesel Linux - Security 3 07-21-2004 11:47 AM
Port 80 -- How to block from one specific domain? (RedHat 7.0) jcroft Linux - Security 1 02-17-2002 03:50 PM


All times are GMT -5. The time now is 09:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration