LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   block specific users in squid (https://www.linuxquestions.org/questions/linux-security-4/block-specific-users-in-squid-360995/)

alan.belizario 09-07-2005 06:33 AM
block specific users in squid
 
Is there any way of denying specific users in squid from accessing blocked sites? Just like an isa server.

Thanks

cardy 09-07-2005 07:17 AM
There are ways to do this using the acl functions of the webcache, for example

Configure the auth_param to setup user authentication.

auth_param basic program /usr/bin/verifyusers
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server

the program /usr/bin/verifyusers needs to verify the username and password and return OK or ERR
it can be anywhere so long as squid has appropriate rights to run it and preform the authentication.


assuming you have an acl which contains your blocked sites in the example below there are 2 types of blocked sites one by domain and one by regular expression match. The third line creates a rule called allusers that says all users must be authenticated. The last ACL defines a rule called restrictedusers for usernames listed in the file /etc/squid/restrictedusers


acl blocked dstdomain baddomain.com
acl regexblock url_regex -i "/etc/squid/tcat-config/regexblock-sites"
acl allusers proxy_auth REQUIRED
acl restrictedusers proxy_auth "/etc/squid/restrictedusers"

# Although all of these rules have been created they have not been applied, they are applied in the http_access
# commands.

http_access deny restrictedusers blocked
http_access deny restrictedusers regexblock
http_access allow allusers
http_access deny all


# The first line says deny access to users who are in restricted users and who are accessing a blocked site
# The second the same as the first but for the blocked sites matched by a regular expression
# The third allow all users so long as they pass authentication
# the fourth deny any other requests.

# The http_access rules fall through so if the user does not match all the entires on the first http_access the system # falls through to the next and so on.

Hope this is of use

alan.belizario 09-08-2005 02:27 AM
is the verifyusers the same like htaccess?
i got the following error acl priv_auth proxy_auth REQUIRED because no authentication schemes are completed.
why is this?

thanks for your help

cardy 09-09-2005 04:54 AM
The verifyusers is a program that accepts a username and password and verifies it somehow and then outputs either OK or ERR.

You may find a number of programs have been provided with your distribution have a look in

Code:
/usr/lib/squid

The following are all programs you can use as the authenticator program.
getpwname_auth
ntlm_auth
smb_auth
squid_ldap_auth
yp_auth
msnt_auth
pam_auth
smb_auth.pl
wb_auth
ncsa_auth
sasl_auth
smb_auth.sh
wb_ntlmauth
The ncsa_auth program is based around the same format as the .htpassword files.

I think the error you are getting is basically saying you MUST have the authenticator program configured and working before you can use proxy_auth.

If you create a .htpasswd file you could then do.

Code:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/my-htpassword-format-file
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server

alan.belizario 09-09-2005 11:43 PM
I have a problem when I configure squid.conf to use ncsa squid won't start. why is that?


All times are GMT -5. The time now is 08:38 AM.