+ Responder ao Tópico



  1. #1

    Padrão Squid - Bloquear acl não pelo ip mas pelo usuario

    Galera....

    Tenho varias ACLS para cada maquina... E também estou usando a autenticação, que esta funcionando tudo certinho.... Mas queria saber se ao invez de vincular o ip da maquina nas ACLS, se poderia criar um arquivo com os usuarios e como faria...

    minhas ACLS estão assim:
    #####################################################################################

    acl password proxy_auth REQUIRED
    http_access deny !password

    acl libera src "/etc/squid/libera-ip"
    acl stringnaopornografica url_regex "/etc/squid/string-nao-pornografica"
    acl negadownloadmusica url_regex -i "/etc/squid/nega-download-musica"
    acl blacklists-porn-string url_regex "/etc/squid/porn/string"
    acl blacklists-porn-urls url_regex "/etc/squid/porn/urls"
    acl blacklists-porn-domains dstdomain "/etc/squid/porn/domains"
    acl nega-sites url_regex "/etc/squid/nega-sites"
    acl negaacessomusica url_regex "/etc/squid/nega-acesso-musica"
    acl morning time 08:00-17:00
    acl negaipestacao src "/etc/squid/nega-ip-estacao"
    acl ipvalido src "/etc/squid/ip-valido"
    acl acl2-ip src "/etc/squid/acl2-nega-ip"
    acl acl2-str url_regex "/etc/squid/acl2-nega-str"

    http_access deny acl2-ip acl2-str
    http_access allow libera
    http_access allow stringnaopornografica all
    http_access deny negadownloadmusica
    http_access deny blacklists-porn-string
    http_access deny blacklists-porn-urls
    http_access deny blacklists-porn-domains
    http_access deny nega-sites
    http_access deny morning negaacessomusica
    http_access deny negaipestacao
    http_access deny !ipvalido
    http_access allow manager localhost
    http_access deny manager
    ##################################################################################

    Valeu pela ajuda

  2. #2

    Padrão Squid - Bloquear acl não pelo ip mas pelo usuario

    RTFM:

    uma boa busca no próprio manual do Squid teria ajudado (seção 6 do manual):

    "User name
    Logs generally show the source IP address of a connection. When this address is on a multiuser machine (let's use a Unix machine at a university as an example) you cannot pin down a request as being from a specific user. There could be hundreds of people logged into the Unix machine, and they could all be using the cache server. Trying to track down a misbehaver is very difficult in this case, since you can never be sure which user is actually doing what. To solve this problem, the ident protocol was created. When the cache server accepts a connection, it can connect back to the origin server (on a low-numbered port, so the reply cannot be faked) and finds out who just connected. This doesn't make any sense on windows systems: people can just load their own ident servers (and become daffy duck for a day). If you run multi-user systems then you may want only certain people on those machines to be able to use the cache. In this case you can use the ident username to allow or deny access.

    Example 6-15. Using ident usernames to deny cache access

    acl ident goodusers oskar tom
    http_access allow goodusers

    One of the best things about Unix is the flexibility you get. If you wanted (for example) only students in their second year on to have access to the cache servers via your Unix machines, you could create a replacement ident server. This server could find out which user that has connected to the cache, but instead of returning the username you could return a string like "third_year" or "postgrad". Rather than maintaining a list of which students are in on both the cache server and the central Unix system, you could simple Squid rules, and the ident server could do all the work where it checks which user is which.

    Example 6-16. Using Ident to classify users, and using Squid to deny classes

    acl responsible ident third_year fourth_year postgrad staff
    http_access allow responsible

    "
    :twisted:

  3. #3
    Visitante

    Padrão Squid - Bloquear acl não pelo ip mas pelo usuario

    Sim, tudo bem. Por exemplo na hora de colocar a acl faz o seguinte:
    acl acl2-ip src "/etc/squid/acl2-nega-ip"

    scr -> dizendo que e o ip
    "/etc/squid/acl2-nega-ip" -> arquivo com os ips

    no lugar do scr que string botaria? e se poderia usar um arquivo com os usuários?

  4. #4
    linuxadm
    Visitante

    Padrão Squid - Bloquear acl não pelo ip mas pelo usuario

    jricardo acresente as seguites regras no seu squid.conf



    acl usuario_bloqueado proxy_auth nome do usuario

    http_access deny usuario_bloqueado


    Aqui na empresa funciona assim

    Se funcionar e posta ai.