[squid-users] Using multiple groups, multiple access list on W2K?

From: James Bruce <[email protected]>
Date: Tue, 4 Jan 2005 15:55:39 -0600

Hello List,
I'm a newb to squid and this list, I need a little help. I have
squid/2.5.STABLE7-NT installed on a W2K server with the latest patches.

The goal is to have multiple groups with different levels of internet access
for each group. Also let everyone have full internet access during lunch
12-1pm. Last but not least use active directory authentication.

I am able to add windows authentication for my proxy. I created a local
group called ProxyUsers on the w2k server, that group consist of the domain
group called RestrictedUsers. More groups will be created later
(AccountingRestricted, SalesRestricted, Unrestristed, etc...) For now I'm
using one group (for testing). If employees are not in that domain group
(RestrictedUsers) they do not have internet access and if they are, a login
box appears. So I know this works with the active directory authentication.

This is were I'm stuck. We will need to have multiple groups that need more
access then others. Which will require multiple access list I know. I guess
my question is how do you associate certain access-lists for certain groups
with authentication. I included my squid.conf to give you a basic idea of
what I have. I know it's not the cleanest but it's working so far :) If
anyone has a link or advice, please let me know. Sorry if this is such a
newb question.

Thank you,
James

http_port 192.168.0.135 8080
cache_mem 2 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 250 KB
cache_dir ufs C:/squid/var/cache 100 16 256
cache_access_log C:/squid/var/logs/access.log
cache_log C:/squid/var/logs/cache.log
cache_store_log C:/squid/var/logs/store.log
emulate_httpd_log on
log_ip_on_direct on
mime_table C:/squid/etc/mime.conf
log_fqdn on
client_netmask 255.255.255.255
unlinkd_program c:/squid/libexec/unlinkd.exe
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
auth_param ntlm program c:/squid/libexec/win32_ntlm_auth.exe -A ProxyUsers
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
acl restrictedaccess dstdomain .edu
acl restrictedaccess dstdomain .gov
acl restrictedaccess dstdomain .il.us
acl restrictedaccess dstdomain .mil
acl restrictedaccess dstdomain .windowsupdate.com
***really long list but you get the idea
acl all src 0.0.0.0/0.0.0.0
acl password proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443
acl USI src 192.168.0.0/24
acl lunchtime time MTWTF 12:00-13:00
http_access allow manager localhost
http_access allow password restrictedaccess
http_access allow USI lunchtime
http_access deny to_localhost
http_access deny !Safe_ports
http_access deny all
cache_mgr Administrator@yadayadayada.com
cache_effective_user nobody
unique_hostname squidproxy 192.168.0.10
announce_period 1 day
icon_directory C:\squid\share\icons
error_directory C:\squid\share\errors\English
coredump_dir c:/squid/var/cache
Received on Tue Jan 04 2005 - 14:55:37 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST