Quantcast

Multiple http_access Logic At the same time

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Multiple http_access Logic At the same time

Serhat Koroglu

Hello,

I'm trying to manage squid users to access the proxy if they logged in and the site url is allowed in my url list. They are running one by one. If logged in accesses but not check the url and vice versa. But I want both of them. Here is my config part.


auth_param basic program /usr/bin/php /var/www/html/sqauth.php
auth_param basic children 20
auth_param basic realm Username and password
auth_param basic credentialsttl 5 hours

acl AuthenticatedUsers proxy_auth REQUIRED

acl allowed_sites dstdomain "/etc/squid/allowedsites.txt"
acl all_others dst 0.0.0.0/0.0.0.0


http_access allow allowed_sites
http_access deny all_others
http_access allow AuthenticatedUsers


Thank you,
Serhat

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Multiple http_access logic at the same time

Serhat Koroglu

Hello,

I'm trying to manage squid users to access the proxy if they logged in and the site url is allowed in my url list. They are running one by one. If logged in accesses but not check the url and vice versa. But I want both of them. Here is my config part.


auth_param basic program /usr/bin/php /var/www/html/sqauth.php
auth_param basic children 20
auth_param basic realm Username and password
auth_param basic credentialsttl 5 hours

acl AuthenticatedUsers proxy_auth REQUIRED

acl allowed_sites dstdomain "/etc/squid/allowedsites.txt"
acl all_others dst 0.0.0.0/0.0.0.0


http_access allow allowed_sites
http_access deny all_others
http_access allow AuthenticatedUsers


Thank you,
Serhat

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple http_access Logic At the same time

Amos Jeffries
Administrator
In reply to this post by Serhat Koroglu
On 15/04/2017 1:25 a.m., Serhat Koroglu wrote:
> Hello,
>
> I'm trying to manage squid users to access the proxy if they logged
> in and the site url is allowed in my url list. They are running one
> by one. If logged in accesses but not check the url and vice versa.
> But I want both of them. Here is my config part.
>

First some concepts:

You do not have any "url list" in the displayed config settings.

You do have a file that is supposed to contain *only* domain names.
Those may have wildcard sub-domains in dstdomain format (domin name
started with a '.'), but URLs and other things are not valid in that file.


Also, http_access does not allow/deny "URLs". It can best be described
as allowing or denying *use of the proxy*. Use of the proxy is a very
different concept to 'URL'.

That is very important to get straight in your head since it directly
affects your understanding of what the ACLs do.




>
> auth_param basic program /usr/bin/php /var/www/html/sqauth.php
> auth_param basic children 20
> auth_param basic realm Username and password
> auth_param basic credentialsttl 5 hours
>
> acl AuthenticatedUsers proxy_auth REQUIRED
>
> acl allowed_sites dstdomain "/etc/squid/allowedsites.txt"
> acl all_others dst 0.0.0.0/0.0.0.0

Contrary to what you may think the above "all_others" ACL does not deny
access to everywhere.

It is a bad way to configure:

  acl all_others dst ipv4


Also be aware that it can only match IPv4 addresses. So any IPv6-only
domain will happily skip past your denial rule. This has nothing to do
with whether your client or your local network is IPv4-only. It depends
solely on the DNS listed IPs of the destination domain, clients
requesting IPv6-only domains will be allowed to use your proxy.

Use the provided/built-in ACL called "all" when you want to match
everything.


>
> http_access allow allowed_sites
> http_access deny all_others
> http_access allow AuthenticatedUsers
>

When you fix the "deny all_others" stuff so it working as you appear to
intend. Your authentication will "break".

Please read
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> for why,
and that should also teach you how to solve your described problem.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Multiple http_access logic at the same time

Serhat Koroglu
In reply to this post by Serhat Koroglu

Hello,
I'm trying to manage squid users to access the proxy if they logged in and the site url is allowed in my url list. They are running one by one. If logged in accesses but not check the url and vice versa. But I want both of them. Here is my config part.

auth_param basic program /usr/bin/php /var/www/html/sqauth.php
auth_param basic children 20
auth_param basic realm Username and password
auth_param basic credentialsttl 5 hours

acl AuthenticatedUsers proxy_auth REQUIRED

acl allowed_sites dstdomain "/etc/squid/allowedsites.txt"
acl all_others dst 0.0.0.0/0.0.0.0
 

http_access allow allowed_sites
http_access deny all_others
http_access allow AuthenticatedUsers


Thank you,
Serhat



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Multiple http_access logic at the same time

Antony Stone
On Monday 17 April 2017 at 08:35:28, Serhat Koroglu wrote:

> Hello,
> I'm trying to manage squid users to access the proxy if they logged in and
> the site url is allowed in my url list. They are running one by one. If
> logged in accesses but not check the url and vice versa.

So, are you saying that the users must be logged in, *and* the URL they are
accessing is on your list, otherwise the request is denied?

> But I want both of them. Here is my config part.
>
> auth_param basic program /usr/bin/php /var/www/html/sqauth.php
> auth_param basic children 20
> auth_param basic realm Username and password
> auth_param basic credentialsttl 5 hours
>
> acl AuthenticatedUsers proxy_auth REQUIRED
>
> acl allowed_sites dstdomain "/etc/squid/allowedsites.txt"
> acl all_others dst 0.0.0.0/0.0.0.0
>
> http_access allow allowed_sites
> http_access deny all_others
> http_access allow AuthenticatedUsers

That last line can never be executed, because the one before "deny all_others"
simply blocks everything.

I think what you want is simply:

        http_access allow AuthenticatedUsers allowed_sites
        http_access deny all_others


Antony.

--
I just got a new mobile phone, and I called it Titanic.  It's already syncing.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...