https access only for few users

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

https access only for few users

Simon Dcunha-2

Dear All,

I have squid running with no issues for a long time and recently i have the below task.
User access to internet is based on physical machine IP address acl so only user ips listed in the conf file have access to internet

i need to allow access to only one site for some users and deny everything else. its a https site
the site is https://mof-sc-site.custhelp.com/

the users whos ips are listed in below acl should  access the above site only and nothing else.

so i have a access list as follows

----------------------------------------------------
acl onesite src 172.16.52.23 172.16.6.121
acl allowed_site url_regex "/etc/squid/site"
http_access allow onesite allowed_site
http_access deny onesite
------------------------------------------------------

in /etc/squid/site i have
------------------
.mof*

Now when I try to access the above site it says page cannot be displayed and in the squid access.log i see the below
--------------
1510224319.009      0 172.16.6.121 TCP_DENIED/403 4201 CONNECT mof-sc-site.custhelp.com:443 - HIER_NONE/- text/html


but if I try to access http://www.mof.gov.kw the home page is displayed and works fine

appreciate your advice and help


regards

simon





--
---------
Network Administrator
Kuwait Municipality!!!
--
---------
Network Administrator
Kuwait Municipality!!!

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https access only for few users

Amos Jeffries
Administrator
On 09/11/17 23:03, Simon Dcunha wrote:

>
> Dear All,
>
> I have squid running with no issues for a long time and recently i have the below task.
> User access to internet is based on physical machine IP address acl so only user ips listed in the conf file have access to internet
>
> i need to allow access to only one site for some users and deny everything else. its a https site
> the site is https://mof-sc-site.custhelp.com/
>
> the users whos ips are listed in below acl should  access the above site only and nothing else.
>
> so i have a access list as follows
>
> ----------------------------------------------------
> acl onesite src 172.16.52.23 172.16.6.121
> acl allowed_site url_regex "/etc/squid/site"
> http_access allow onesite allowed_site
> http_access deny onesite
> ------------------------------------------------------
>
> in /etc/squid/site i have
> ------------------
> .mof*
>
> Now when I try to access the above site it says page cannot be displayed and in the squid access.log i see the below
> --------------
> 1510224319.009      0 172.16.6.121 TCP_DENIED/403 4201 CONNECT mof-sc-site.custhelp.com:443 - HIER_NONE/- text/html
>
>
> but if I try to access http://www.mof.gov.kw the home page is displayed and works fine
>
> appreciate your advice and help
>

You are a) using the wrong tool [regex] for the job of matching a single
*domain*, and b) using regex VERY VERY badly.

Your regex says any URL in existence that contains _any_ single
character followed by 'm' then 'o' is a match for the ACL - thus is
allowed to the "onesite" client(s). The 'f' being optional (the *) and
at the end of the pattern means it does not matter at all for the
matching and may as well not exist.



What you should be doing is using an ACL type that matches domain names
and telling it the domain that you want to match:

   acl allowed_site dstdomain mof-sc-site.custhelp.com

The rest of your config snippet was correct for what you want to do.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https access only for few users

Simon Dcunha-2
Dear Amos,

Million thanks for the immediate reply.

i will check it out and let you know

so sorry for being so silly

regards

simon

----- Original Message -----
From: "Amos Jeffries" <[hidden email]>
To: [hidden email]
Sent: Thursday, November 9, 2017 1:31:47 PM
Subject: Re: [squid-users] https access only for few users

On 09/11/17 23:03, Simon Dcunha wrote:

>
> Dear All,
>
> I have squid running with no issues for a long time and recently i have the below task.
> User access to internet is based on physical machine IP address acl so only user ips listed in the conf file have access to internet
>
> i need to allow access to only one site for some users and deny everything else. its a https site
> the site is https://mof-sc-site.custhelp.com/
>
> the users whos ips are listed in below acl should  access the above site only and nothing else.
>
> so i have a access list as follows
>
> ----------------------------------------------------
> acl onesite src 172.16.52.23 172.16.6.121
> acl allowed_site url_regex "/etc/squid/site"
> http_access allow onesite allowed_site
> http_access deny onesite
> ------------------------------------------------------
>
> in /etc/squid/site i have
> ------------------
> .mof*
>
> Now when I try to access the above site it says page cannot be displayed and in the squid access.log i see the below
> --------------
> 1510224319.009      0 172.16.6.121 TCP_DENIED/403 4201 CONNECT mof-sc-site.custhelp.com:443 - HIER_NONE/- text/html
>
>
> but if I try to access http://www.mof.gov.kw the home page is displayed and works fine
>
> appreciate your advice and help
>

You are a) using the wrong tool [regex] for the job of matching a single
*domain*, and b) using regex VERY VERY badly.

Your regex says any URL in existence that contains _any_ single
character followed by 'm' then 'o' is a match for the ACL - thus is
allowed to the "onesite" client(s). The 'f' being optional (the *) and
at the end of the pattern means it does not matter at all for the
matching and may as well not exist.



What you should be doing is using an ACL type that matches domain names
and telling it the domain that you want to match:

   acl allowed_site dstdomain mof-sc-site.custhelp.com

The rest of your config snippet was correct for what you want to do.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
---------
Network Administrator
Kuwait Municipality!!!

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: https access only for few users

Amos Jeffries
Administrator
On 10/11/17 08:36, Simon Dcunha wrote:

> Dear Amos,
>
> Million thanks for the immediate reply.
>
> i will check it out and let you know
>
> so sorry for being so silly
>
> regards
>
> simon

You're Welcome, and no worries. Helping people learn to do things better
is most of what this list is about.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users