[squid-users] per-acl error messages not working

From: Michael W. Lucas <[email protected]>
Date: Wed, 25 Jul 2007 13:31:15 -0400

Hi,

I'm obviously doing something wrong with my ACLs, and would appreciate
any advice.

We require authentication via radius, and we only allow each user to
be logged on from workstation at a time. Anyone logged on to a server
can access the Internet from multiple machines (i.e., for maintenance
periods where one admin might be running updates on several boxes
simultaneously).

If a user logs in from too many machines, or if he enters a wrong
password, he gets the error message in ERR_NO_SHARING. I would expect
a user who signs on too often to get ERR_NO_SHARING and a user who
fails to authenticate to get the default ERR_CACHE_ACCESS_DENIED.

Instead, all users get ERR_NO_SHARING. I would like to give the users
a useful error message, but obviously I am missing something.

The ACL portion of my squid.conf follows.

Thanks for any suggestions,
==ml

--
error_directory /etc/squid/errors
auth_param basic program /usr/local/squid/libexec/squid_radius_auth_new -f /etc/squid/squid_radius_auth.conf
auth_param basic children 5
auth_param basic realm 'Web'
#confirm our login is still good via Radius at this interval;
#this is not the time between password query popups at user's browser!
authenticate_ttl 15 minutes
acl all src 0.0.0.0/0.0.0.0	# all sources
acl manager proto cache_object	# internal cache manager
acl localhost src 127.0.0.1/255.255.255.255  # This computer's loopback source
acl to_localhost dst 127.0.0.0/8 # This computer's loopback destinations
acl PURGE method PURGE
acl Safe_ports port 80		# http
acl Safe_ports port 20		# ftp
acl Safe_ports port 21		# ftp-data
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl radius_auth proxy_auth REQUIRED
acl no_auth_src src "/etc/squid/noauth_src.list"
acl no_auth_dst dst "/etc/squid/noauth_dst.list"
acl no_auth_hostdst dstdomain "/etc/squid/noauth_hostdst"
#Don't share password
authenticate_ip_ttl 60 seconds
acl noPwSharing max_user_ip 1
deny_info ERR_NO_SHARING noPwSharing
#allow server networks more leeway for administration
acl serverPwSharing max_user_ip 5
deny_info ERR_NO_SHARING serverPwSharing
#Our internal networks; one for source, one for dest
acl our_networks src 10.0.0.0/8 127.0.0.0/8
acl our_servers dst 10.0.0.0/8 127.0.0.0/8
acl server_network src 10.184.1.0/24
acl our_domains dstdomain internal.com
acl CONNECT method CONNECT	# Http Connect method
#Only the local machine can see cache manager
http_access allow manager localhost
http_access deny manager
#management acl
http_access allow PURGE localhost
http_access deny PURGE
#block connections to unsafe ports
http_access deny !Safe_ports
#Allow everyone through to some sites without auth
http_access allow no_auth_dst
http_access allow no_auth_src
http_access allow no_auth_hostdst
#Everyone can access internal servers
always_direct allow our_domains
#servers can have one user connect multiple times
http_access allow server_network radius_auth
#clients may only log in from one IP at a time.
http_access deny noPwSharing
#Clients must auth to radius to leave our network
http_access allow our_networks radius_auth  
#everyone else is denied access
http_access deny all
#everyone can reply
http_reply_access allow all
#nobody may use this as a peer proxy
icp_access deny all
-- 
Michael W. Lucas 	mwlucas@BlackHelicopters.org, mwlucas@FreeBSD.org
		http://www.BlackHelicopters.org/~mwlucas/
      Coming Soon: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com
On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
Received on Wed Jul 25 2007 - 11:31:19 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:04 MDT