|
Home > Archive > Squid > December 2004 > IP_USER ISSUES
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| squid3456@yahoo.com 2004-12-07, 5:46 pm |
| I am having an issues with the ip_user command in squid 2.5 Stable 7.
Even though I have the ip_user.conf file set to none I can still access
the internet from this ip. I have posted the squid.conf file
#Use Squid for authenication on ports and general proxying. All access
policies are
#handled by squidGuard redirector interface.
#ACL's debug
#debug_options ALL,1 32,2
#ACCESS's debug
debug_options ALL,1 28,12
#debug_options ALL,9 #store debug
#debug_options ALL,1 25,12 28,12
#port 3128 is used for squidGuard
http_port 3128 8080 8083 8085 8090
cache_effective_group squid
visible_hostname testsquid
#redirect_program /usr/local/bin/squidGuard -c
/usr/local/squidGuard/squidGuard.conf
#redirect_program /usr/local/squidGuard/bin/squidGuard -c
/usr/local/squidGuard/squidGuard.conf
redirect_children 16
acl SSL_ports port 443 563 33108 9080
acl Safe_ports port 21 80 443 563 70 210 1025-65535
acl Safe_ports port 9080 # freemarkets
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
cache_dir ufs /usr/local/squid/var/cache 100 16 256
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#define all as source group
acl all src 0.0.0.0/0.0.0.0
external_acl_type ip_user %SRC %LOGIN
/usr/local/squid/etc/ip_user_check -f /usr/local/squid/etc/ip_user.conf
#define proxy ports, 8080 - users, 8090 - administrators, 8083 - real
audio
acl user_myport myport 8080
acl admin_myport myport 8090
acl realaudio_myport myport 8083
#define authenication
auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/passwd
auth_param basic children 5
auth_param basic realm Squid Cache Proxy Server
auth_param basic credentialsttl 2 hours
#define domain users group, password required
acl domainusers proxy_auth REQUIRED
#define domain admins group, password required, have to be list's
members
acl administrators_list proxy_auth
"/usr/local/squidGuard/db/administrators_list
#define dload users group, password required, have to be list's members
acl dload_users proxy_auth "/usr/local/squidGuard/db/dload_users_list"
#acl bad_ext url_regex "/usr/local/squid/etc/bad_ext.txt"
#acl allow_ext url_regex "/usr/local/squid/etc/allow_ext.txt"
#acl dload_ext url_regex
"/usr/local/squidGuard/db/whitelist/dload/expressions"
#acl dload_domain url_regex
"/usr/local/squidGuard/db/whitelist/dload/domains"
#acl bad_mime url_regex "/usr/local/squid/etc/bad_mime.txt"
logfile_rotate 45
#download main rule, deny all downloads after it
#http_access allow user_myport dload_ext dload_domain dload_users
#!!!!!!!!!!!!!!!!!!!!1'deny' configuration
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#disable extensions from the list for domain users
# Added to allow login.exe 11/5/02
#http_access deny user_myport bad_ext
#disable ftp for domain users
#http_access deny user_myport FTP
#main 'allow' rules, the rule uses AND logic per line. Requests got
checked untill match
#is found per line. Example: 'http_access allow user_myport
domainusers' will check port first,
#then check if user in domainusers, since domainuser has to be
authenicated will call for password,
#if all(AND) conditions are met then proxying is allowed.
http_access allow realaudio_myport domainusers
http_access allow user_myport domainusers
http_access allow user_myport administrators_list
http_access allow admin_myport administrators_list
#last rule - deny!!!!!!
#in case no match was found in previous lines.
http_access deny all
----------------------
This is what is in my ip_user.conf file:
192.168.0.249 NONE
----------------------------
Can someone please tell me what I am doing wrong?
Here are my configure options:
Squid Cache: Version 2.5.STABLE7-20041206
configure options: --prefix=/usr/local/squid
--enable-basic-auth-helpers=NCSA --enable-external-acl-helpers=ip_user
| |
| Muthukumar_K 2004-12-24, 12:44 pm |
| external_acl_type ip_user %SRC %LOGIN
/usr/local/squid/etc/ip_user_check -f /usr/local/squid/etc/ip_user.conf
>>>
External configuration is ok. But you did not define ACL for this external class?
as like as,
acl ip_user_acl external ip_user
>>>
http_access allow realaudio_myport domainusers
http_access allow user_myport domainusers
http_access allow user_myport administrators_list
http_access allow admin_myport administrators_list
>>>
You did not deny for that specifi IP-Address right there. Use as,
http_access deny ip_user_acl
http_access allow realaudio_myport domainusers
http_access allow user_myport domainusers
http_access allow user_myport administrators_list
http_access allow admin_myport administrators_list
http_access deny all
I hope it will work now.
HTH.
regards
Muthukumar
kmuthu_gct@yahoo.com |
|
|
|
|