Re: [squid-users] FTP, control on who can and who can't, withexternal group authentication

Fri, 24 Jan 2003 03:47:19 -0800 

You also need to deny access to ftp...

http_access allow ftp techuser
http_access deny ftp
http_access allow webuser
http_access deny all


Or alternatively which I think works better for you based on the
definitions of your groups

http_access deny ftp !techuser
http_access allow webuser
http_access deny all

Regards
Henrik Nordstr�m



ons 2003-01-22 klockan 08.52 skrev [EMAIL PROTECTED]:
> Hi all,
> Im using squid 2.5 STABLE1 on Solaris 8 with NTLM authentication (include
> external group authentication), it works fine all of it.
> 
> But I need to make some restriction on who can and who can't do FTP (include
> with size), so here is what I did :
> (squid.conf)
> 
> acl ftp proto FTP
> acl auth proxy_auth REQUIRED
> acl techuser external NT_global_group SurfeursWebCH-T (user allowed to use FTP)
> acl webuser external NT_global_group SurfeursWebCH SurfeursWebCH-T (user alowed
> to access internet for browsing)
> http_access allow ftp techuser
> http_access allow auth webuser
> http_access deny all
> 
> This two parameter dosen't works, but If I remember right it's resolv in the
> current CVS version of squid, du to a need of a second authentication, not to a
> big deal for now)
> reply_body_max_size 0 allow techuser (unlimited get for techuser)
> reply_body_max_size 2000000 allow all (limited get for all user)
> 
> but user can do an ftp, here is what I get in my log file:
>  1043166154.341 111241 10.137.170.31 TCP_MISS/200 11676396 GET
> ftp://sunsite.cnlab-switch.ch/mirror/opera/win/605/ja/java/ow32jaja605j.exe
> d-ch-bi1\bi247 DIRECT/195.176.255.9 application/octet-stream ...
> 
> 
> and this user is not a member of the techuser group.
> 
> Can you help ?
> 
> Regards,
> 
> Arno
> 
> 
> 
> 
> ******************************************************************
> DISCLAIMER - E-MAIL
> -------------------
> The information contained in this E-Mail is intended for the named
> recipient(s). It may  contain certain  privileged and confidential
> information, or  information  which  is  otherwise  protected from
> disclosure. If  you  are  not the intended recipient, you must not
> copy,distribute or take any action in reliance on this information
> ******************************************************************
-- 
Henrik Nordstrom <[EMAIL PROTECTED]>
MARA Systems AB, Sweden

Reply via email to