authorized by pcname

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

authorized by pcname

sampei02@tiscali.it
Can I set acl to authorize specific computer name by http_access directive ?
I used usually acl <name<> src <ip> but I’d like to specify Netbios name, so I Thought  as client IP address is sent to squid It’ll be the same thing with pc name.
It’s possible ?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: authorized by pcname

Amos Jeffries
Administrator
On 11/12/20 3:55 am, sampei02 wrote:
> Can I set acl to authorize specific computer name by http_access directive ?

Maybe. That depends on whether there is any mechanism for Squid to
identify the "computer name".



> I used usually acl <name<> src <ip> but I’d like to specify Netbios name, so I Thought  as client IP address is sent to squid It’ll be the same thing with pc name.


Your thought is both right and wrong.

NetBOIS name plays the same role as IP address - both are the "address"
of the client machine in their relevant protocols.

However, Squid does not use or implement NetBIOS protocol to talk to
clients. Squid only uses IP based protocols.

Sometimes NTLM credentials contain the NetBIOS name of a "NetBIOS node"
machine.

Or IDENT protocol can be used to directly query the client about its
name. *IF* that protocol is supported and enabled on the client.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: authorized by pcname

sampei02@tiscali.it
What Squid mechanism do you suggest me to identify the “computer name” ?
What solution/corretion can I make to my environment to apply my idea?



> On 12 Dec 2020, at 10:48, Amos Jeffries <[hidden email]> wrote:
>
> On 11/12/20 3:55 am, sampei02 wrote:
>> Can I set acl to authorize specific computer name by http_access directive ?
>
> Maybe. That depends on whether there is any mechanism for Squid to identify the "computer name".
>
>
>
>> I used usually acl <name<> src <ip> but I’d like to specify Netbios name, so I Thought  as client IP address is sent to squid It’ll be the same thing with pc name.
>
>
> Your thought is both right and wrong.
>
> NetBOIS name plays the same role as IP address - both are the "address" of the client machine in their relevant protocols.
>
> However, Squid does not use or implement NetBIOS protocol to talk to clients. Squid only uses IP based protocols.
>
> Sometimes NTLM credentials contain the NetBIOS name of a "NetBIOS node" machine.
>
> Or IDENT protocol can be used to directly query the client about its name. *IF* that protocol is supported and enabled on the client.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: authorized by pcname

Antony Stone
On Saturday 12 December 2020 at 14:03:23, [hidden email] wrote:

> What Squid mechanism do you suggest me to identify the “computer name” ?
> What solution/corretion can I make to my environment to apply my idea?

A few suggestions:

1. Why not get your DHCP server to allocate IP addresses according to MAC
address; then your clients will get fixed addresses again and you can use those
in your ACLs.

2. Alternatively, get your DHCP server to update a local DNS server, and point
Squid at that so that it can look up the names of the PCs in DNS (without
needing to know about NetBIOS) and you can use those.

3. Get your users to authenticate to Squid as people, not as computers; then
you can apply the appropriate rules for who is trying to do stuff instead of
assuming who is using which computer.

4. Why have you switched from static addressing to DHCP?  If you need DHCP to
cater for machines which "temporarily visit" your network, how about just
allocating a subnet range for those and continue to use static addresses for
the machines you know about?


Regards,


Antony.

--
A good conversation is like a miniskirt;
short enought to retain interest,
but long enough to cover the subject.

 - Celeste Headlee


                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: authorized by pcname

sampei02@tiscali.it
Thanks for your suggestions.
1. In this way I should move problem to another level that is dhcp server.
2. My DHCP server already updates to local DNS, that is Active Directory, but Squid cannot point to this local Microsoft DNS because It’s using external DNS. I have two DNS: Microsoft DNS (AD) for resolve intranet addresses and Linux DNS (public network) to resolve Internet address. Squid uses last DNS.
3. I’m not interesting, I thought already to it.
4.I didn’t switch to DHCP. dhcp is a further service. I’m using dhcp from few months and I’ll use it only for notebook.

When client asks url to Squid, is there way to capture the “client name” and to check the match to acl? Does It exist trusted application to integrate into Squid to make it?

> On 12 Dec 2020, at 14:20, Antony Stone <[hidden email]> wrote:
>
> On Saturday 12 December 2020 at 14:03:23, [hidden email] wrote:
>
>> What Squid mechanism do you suggest me to identify the “computer name” ?
>> What solution/corretion can I make to my environment to apply my idea?
>
> A few suggestions:
>
> 1. Why not get your DHCP server to allocate IP addresses according to MAC
> address; then your clients will get fixed addresses again and you can use those
> in your ACLs.
>
> 2. Alternatively, get your DHCP server to update a local DNS server, and point
> Squid at that so that it can look up the names of the PCs in DNS (without
> needing to know about NetBIOS) and you can use those.
>
> 3. Get your users to authenticate to Squid as people, not as computers; then
> you can apply the appropriate rules for who is trying to do stuff instead of
> assuming who is using which computer.
>
> 4. Why have you switched from static addressing to DHCP?  If you need DHCP to
> cater for machines which "temporarily visit" your network, how about just
> allocating a subnet range for those and continue to use static addresses for
> the machines you know about?
>
>
> Regards,
>
>
> Antony.
>
> --
> A good conversation is like a miniskirt;
> short enought to retain interest,
> but long enough to cover the subject.
>
> - Celeste Headlee
>
>
>                                                   Please reply to the list;
>                                                         please *don't* CC me.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: authorized by pcname

Amos Jeffries
Administrator
On 13/12/20 10:44 pm, sampei02 wrote:
> Thanks for your suggestions.
> 1. In this way I should move problem to another level that is dhcp server.
> 2. My DHCP server already updates to local DNS, that is Active Directory, but Squid cannot point to this local Microsoft DNS because It’s using external DNS. I have two DNS: Microsoft DNS (AD) for resolve intranet addresses and Linux DNS (public network) to resolve Internet address. Squid uses last DNS.

Your recursive resolver (the Linux DNS) should be configured to forward
queries about the local networks IP range(s) used by DHCP to the
Microsoft DNS resolver.

Squid should make its queries to the Linux one and get the necessary
information back about the clients.


>
> When client asks url to Squid, is there way to capture the “client name” and to check the match to acl? Does It exist trusted application to integrate into Squid to make it?
>

That depends on what type of name you are looking for and what protocols
are available. Humans like to apply names to things and each protocol
has its own version of one, is the situation gets complicated and messy.

As mentioned already if you can avoid having things depend on "machine
name" it will help simplify the situation a lot.

Squid should be able to identify the IP ranges that are used by internal
clients vs others. It can make simple denials based on the IP range.



As a last resort, there is no need to make the policy decision directly
in squid.conf. You can have an external ACL helper that gets passed some
details from Squid and tells Squid what to do. That helper could be
given the URL and client IP - do a lookup in *both* DNS resolvers and
pass back to Squid whether it is to be allowed (OK) or not (ERR).


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users