CentOS - Mar 2007 - How to limit a user to access a few sites.

Hi ,

I am now running squid with ncsa_auth.

I have bound ip addresses to usernames. So users now can access Internet
from their ips.

Now I want a few users to prevent from accessing all the sites. But Instead,
I want them to allow to access a few sites scuh as google.com,cnn.com,
bbc.com. I want to limit in that way.

I have wriiten below rules. But those users still can access all the sites.

external_acl_type ip_user %SRC %LOGIN %DST /usr/lib/squid/ip_user_check -f
/etc/squid/ip.conf

acl ncsa_users proxy_auth REQUIRED
acl ip_users external ip_user %SRC %LOGIN %DST

http_access deny !ncsa_users
http_access deny !ip_users
http_access allow ip_users
http_access allow ncsa_users

my ip.conf file is like this.
[root at worldnet squid]# cat /etc/squid/ip.conf
192.168.101.25   indunil .google.com .bbc.com .cnn.com
192.168.101.90  www90

Accoring to the above file, User indunil with ip address 192.168.101.25 has
access to google.com,bbc.com and cnn.com.
But the user indunil still has access to all the sites.

How can I solve this?


-- 
Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20070326/6ebb5263/attachment.html>

Indunil Jayasooriya wrote:
> Hi ,
> 
> I am now running squid with ncsa_auth.
> 
> I have bound ip addresses to usernames. So users now can access Internet
> from their ips.
> 
> Now I want a few users to prevent from accessing all the sites. But 
> Instead,
> I want them to allow to access a few sites scuh as google.com,cnn.com,
> bbc.com. I want to limit in that way.
> 
> I have wriiten below rules. But those users still can access all the sites.
For this kind of control, I use Squidguard. However, Squidguard does 
control computers, not users (though in practice, I don't think one can 
reliably control users).



-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu

Please do not reply off-list

On Mon, 2007-03-26 at 13:59 +0530, Indunil Jayasooriya
wrote:
> Hi , 
> 
> I am now running squid with ncsa_auth.
> 
> I have bound ip addresses to usernames. So users now can access
> Internet from their ips. 
> 
> Now I want a few users to prevent from accessing all the sites. But
> Instead, I want them to allow to access a few sites scuh as
> google.com,cnn.com ,bbc.com. I want to limit in that way. 
> 
> I have wriiten below rules. But those users still can access all the
> sites. 
> 
> external_acl_type ip_user %SRC %LOGIN %
> DST /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
> 
> acl ncsa_users proxy_auth REQUIRED
> acl ip_users external ip_user %SRC %LOGIN %DST
> 
> http_access deny !ncsa_users 
> http_access deny !ip_users
> http_access allow ip_users
> http_access allow ncsa_users
> 
> my ip.conf file is like this. 
> [root at worldnet squid]# cat /etc/squid/ip.conf
> 192.168.101.25  indunil .google.com .bbc.com .cnn.com
> 192.168.101.90  www90
> 
> Accoring to the above file, User indunil with ip address
> 192.168.101.25 has access to google.com,bbc.com and cnn.com. 
> But the user indunil still has access to all the sites. 
> 
> How can I solve this? 
I think you probably need to combine a few rules together.
Consider the following

acl ncsa_users proxy_auth REQUIRED
acl ip_users external ip_user %SRC %LOGIN %DST
acl ALLOWED_DOMAINS url_regex -i google.com bbc.com cnn.com

http_access deny !ncsa_users 
http_access deny !ip_users
http_access allow ip_users ALLOWED_DOMAINS
http_access allow ncsa_users ALLOWED_DOMAINS
http_access deny all

Basically, a new ACL was added and the corresponding http_access test,
it will only 

(a) be allowed IF it fulfilled the test of being an ip_users and going
to a domain as defined in the ALLOWED_DOMAINS acl

~ or ~

(b) be allowed IF it fulfilled the test of being an ncsa_users and going
to a domain as defined in the ALLOWED_DOMAINS acl

Hope this helps.