RE: [squid-users] configuring Squid to authenticate AND to log users' access toforbidden sites. from Chris Robertson on 2005-08-19 (squid-users)

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 19 Aug 2005 15:31:34 -0800

> -----Original Message-----
> From: MARLON BORBA [mailto:MBORBA@trf3.gov.br]
> Sent: Friday, August 19, 2005 3:17 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] configuring Squid to authenticate AND to log
> users' access toforbidden sites.
>
>
> Squid ubergeeks,
>
> I am configuring a Squid (2.5-STABLE9 in a Fedora Core 4) to
> authenticate users into a LDAP directory. Having succeeded in
> that configuration, my next challenge is to implement access
> control AND logging of users' accesses to forbidden sites.
>
> I created two url_regex lists, semacesso.txt for porn and
> other banned sites and liberado.txt, which contain regexes
> for sites that, not being porn or any other crap, could be
> blocked because they contain a substring appearing to be a
> porn site (eg esSEX.ac.uk).
>
> I have two problems to solve:
>
> 1) My Squid.conf relevant lines below:
>
> [...]
> acl autenticados proxy_auth REQUIRED
> [...]
> acl liberado dstdom_regex "/etc/squid/liberado.txt"
> acl semacesso dstdom_regex "/etc/squid/semacesso.txt"
> [...]
> http_access allow autenticados

I am imagining that you don't want to permit anyone to surf without authentication. In such a case...

http_access deny !authenticados

...would be a better fit. After the first matching http_access line squid stops processing, so the next two lines were never being tested. With the suggested change, authentication will be required, but will not be a "free pass" to surf.

>
> http_access allow liberado
> http_access deny semacesso
> [...]
> # And finally deny all other access to this proxy
> http_access allow localhost
> http_access deny all
> [...]
>
> In this configuration it allows an authenticated user to
> access any site, even the forbidden ones. OTOH, I put the
> 'liberado' and 'semacesso' lines ABOVE the authentication
> line, the user does not access forbidden sites and Squid logs
> that into Cache.log, but WITHOUT the lame user's login.
>
> 2) Is there a better way to permit access to non-pornographic
> sites (eg esSEX.ac.uk) but block pornographic ones (eg SEX.com)?
>

Perhaps someone else will have a good answer to this question. I'm not using Squid for content filtering.

> TIA,
>
> Marlon Borba, CISSP.
>
>

Chris
Received on Fri Aug 19 2005 - 17:31:36 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:02 MDT