dynamic ACLs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

dynamic ACLs

Vieri
Hi,

In sslbump tproxy "mode" one cannot authenticate user to limit/allow their access to web content.

I was thinking however of making a web form with auth within a custom Squid error page. This way a user would "automatically" whitelist a web site and have access to it while the IT dep. would know which user accessed where despite the site being blacklisted.

From the error page I can tell which ACL is blocking that site so I could create an "exception" ACL for that ACL.
My question is: can this whitelist or graylist ACL be dynamic without needing to reload Squid, a bit like ipsets with iptables/nftables without the need to reload rules?

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: dynamic ACLs

Alex Rousskov
On 4/16/20 5:09 AM, Vieri wrote:
> In sslbump tproxy "mode" one cannot authenticate user to limit/allow their access to web content.
>
> I was thinking however of making a web form with auth within a custom Squid error page. This way a user would "automatically" whitelist a web site and have access to it while the IT dep. would know which user accessed where despite the site being blacklisted.
>
> From the error page I can tell which ACL is blocking that site so I could create an "exception" ACL for that ACL.
> My question is: can this whitelist or graylist ACL be dynamic without needing to reload Squid, a bit like ipsets with iptables/nftables without the need to reload rules?

Yes, there are several ways to change Squid decisions without
reconfiguring Squid. The simplest one is the "external acl" mechanism:
http://www.squid-cache.org/Doc/config/external_acl_type/
 Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: dynamic ACLs

Amos Jeffries
Administrator
In reply to this post by Vieri
On 16/04/20 9:09 pm, Vieri wrote:
> Hi,
>
> In sslbump tproxy "mode" one cannot authenticate user to limit/allow their access to web content.
>
> I was thinking however of making a web form with auth within a custom Squid error page. This way a user would "automatically" whitelist a web site and have access to it while the IT dep. would know which user accessed where despite the site being blacklisted.
>
> From the error page I can tell which ACL is blocking that site so I could create an "exception" ACL for that ACL.
> My question is: can this whitelist or graylist ACL be dynamic without needing to reload Squid, a bit like ipsets with iptables/nftables without the need to reload rules?
>


Squid comes with an external ACL helper that authorizes access based on
DB entries. You can use any system you like to manage the DB entries.
 see
<http://www.squid-cache.org/Versions/v4/manuals/ext_sql_session_acl.html>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users