How to deny access to some users in Squid?

D

Dmitry2018-08-08 01:47:47

Squid

Dmitry, 2018-08-08 01:47:47

Is available squid, authorization of users from the windows domain on kerberos.
There was a task for certain users of the domain in general to prohibit access to the Internet. Somehow it is possible to make ACL or something similar on specific users/groups?

acl denyusers ident user05
http_access deny denyusers

failed
Found on the net what they do with ext_kerberos_ldap_group_acl, but my squid is installed from a package without this option (Centos)

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2018-08-08
@CityCat4

Well, for example, how we made some people have access only to office sites:
File /etc/squid/policy/minimum.acl:

[email protected]
[email protected]

Here user1 is the user login in Windows, DOMAIN.TLD is the "long" name of the Windows domain in the top! register. The oursites.url file lists the office sites.
FILE /etc/squid/squid.conf

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/proxy.keytab -s HTTP/[email protected]
auth_param negotiate children 30 startup=0 idle=1
auth_param negotiate keep_alive on
acl minimum_acl proxy_auth -i "/etc/squid/policy/minimum.acl"
acl all_dst dst all
acl oursites url_regex -i "/etc/squid/policy/oursites.url"
http_access allow oursites
http_access deny minimum_acl all_dst
http_access allow minimum_acl
http_access deny all_acl

A few explanations.
The first http_access allows anyone to access corporate sites.
The second one blocks access for those in the minimum.acl list to everything else.
The third one allows them to connect to the proxy at all (otherwise, whining from the side of outlook etc. begins).
The fourth one is a safety net, it prohibits access to the proxy to those who are not mentioned in the lists (and there are many of them and all are different).