Re: [squid-users] Re: squid time acls + auth acls

From: Alberto Sierra <[email protected]>
Date: Fri, 3 Dec 2004 10:12:16 -0600

On Thu, 02 Dec 2004 21:41:33 -0500, Adam Aube <aaube01@baker.edu> wrote:
> Alberto Sierra wrote:
>
>
>
> > i want to achieve the following goals:
> >
> > VIP clients (10.1.1.40-10.1.1.50) always internet
> > supervisors (using username/password)
> > rest of the people: time acl-dependent
>
> > my current setup is this:
>
> > acl safe_list dstdomain "/etc/squid/safe_list"
> > acl ViP src 10.1.1.40-10.1.1.50/32
> > acl work time MTWHF 15:00-19:50
> > acl sat time A 00:00-23:59
> > acl time1 time S 09:00-10:10
> > acl time2 time S 11:15-11:45
> > acl time3 time S 12:30-13:20
> > acl time4 time S 14:45-15:15
> > acl all src 0.0.0.0/0.0.0.0
> > acl localhost src 127.0.0.1/255.255.255.255
> >
> > http_access allow ViP
> > http_access allow safe_list
> > # deny access to dansguardian by time:
> > http_access deny localhost time1
> > http_access deny localhost time2
> > http_access deny localhost time3
> > http_access deny localhost time4
>
> > now, i have first to uncomment the line
> >
> > acl password proxy_auth REQUIRED
> > http_access allow localhost password
> >
> > for the authentication to work, but my question then is if i can put 3
> > ACLs together like:
> >
> > http_access deny localhost password !work
> >
> > or how can i address this situation??
>
> That is valid syntax, but will not achieve what you seem to want. That will
> block access to authenticated users outside the times defined by "work". To
> get what you want, you should have:
>
> http_access allow localhost work
> http_access allow localhost password
> http_access deny all
>
> BTW, why are you using "localhost" in all the http_access lines? You do
> realize that will only match if the client is running on the same physical
> system as Squid, right?
>
> Adam
>
>

thanks Adam, i'm aware of the localhost, but that is because of the
dansguardian that runs on the same machine, so the acls only work if
coming from the dansguardian and i can set the vip clients to connect
to port 3128 skipping the content manager.

i already set it up like this

acl safe_list dstdomain "/etc/squid/safe_list"
acl ViP src 10.1.1.40-10.1.1.47/32
acl work time MTWHF 15:00-19:50
acl time1 time A 00:00-23:59
acl time2 time S 10:10-11:10
acl time3 time S 13:25-14:15
acl time4 time S 15:00-16:30

http_access allow ViP
http_access allow safe_list
#http_access allow localhost password
http_access deny localhost work
http_access deny localhost time1
http_access allow localhost time2
http_access allow localhost time3
http_access allow localhost time4

as you see i had to coment out localhost password because the idea was
to have the password promt ONLY when there is time restriction, but i
dont know how to set this up, unless, i create new lines like:

http_access allow work password

but then, the clients that connect directly (to port 3128) will get
the prompt too because im not restricting the rule to connections from
localhost (dansguardian)
Received on Fri Dec 03 2004 - 09:12:33 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST