Topic: denying http proxying from an internal IP address

[Doug]

Hi,

We are running e-smith 4.1.2 and use squid proxy authorisation and the squidGuard blacklists sysem.

I need to deny users using a particular workstation access to the internet even if they know the internet password.
Basically, any http requests from that machine should be denied regardless of the user.

In squid.conf I have:

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

and then:

acl pwdprotect proxy_auth REQUIRED
http_access allow pwdprotect


What do I add to deny access to the proxy cache from machine 192.168.0.27??????


Thanks for any help.


Also, has anyone stopped ICQ access from within their network?

[stephen noble]

i don't know sorry but i'd like to know how you set up
squid proxy authorisation
did you use the instructions on made-to-order
they seems a little muddled to me, and i'd like confirmation before i dive in

stephen

[Filippo Carletti]

acl blockedip 192.168.0.27
http_access deny blockedip (before allow pwdprotect)

[Doug]

yep, i did use the instructions from made to order.
works fine.


thanks Filippo for the instructions.  I'll try them out tomorrow.

thanks!

[stephen noble]

Doug wrote:
>
> yep, i did use the instructions from made to order.
> works fine.

allowing for the difference in sme5
i though this would work, can you tell me why it doesn't

1.
#new file /etc/pam.d/squid
auth  required /lib/security/pam_unix.so
account  required /lib/security/pam_unix.so


2.
#squid.conf
add these four lines
#squid..90AddAuth
authenticate_program /usr/lib/squid/pam_auth
authenticate_children 5
acl pwdprotect proxy_auth REQUIRED
http_access allow pwdprotect

remove these two lines from templates marked by #
#http_access allow manager localsrc
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow localsrc
http_access deny all

3.
#run (this expands squid.conf)
/sbin/e-smith/signal-event network-create

regards
stephen

[Filippo Carletti]

You're missing a chmod u+s /usr/lib/squid/pam_auth

[stephen noble]

Filippo Carletti wrote:
>
> You're missing a chmod u+s /usr/lib/squid/pam_auth

thanks but...

(would someone else like to try this, my system may have modifications that are getting in the way)

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

tail -f /var/log/squid/store.log

1007637260.439 RELEASE FFFFFFFF  403        -1        -1        -1 unknown -1/94
6 GET http://home.org/
1007637424.260 RELEASE FFFFFFFF  403        -1        -1        -1 unknown -1/95
2 GET http://e-smith.com/


tail -f /var/log/squid/access.log

1007637260.439     59 192.168.35.67 TCP_DENIED/403 1012 GET http://home.org/ - NONE/- -
1007637424.260     26 192.168.35.67 TCP_DENIED/403 1018 GET http://e-smith.com/ - NONE/- -

[Doug]

comment out the deny all

[stephen noble]

thanks doug,

i'm half way there, i can get the auth box up but it doesn't accept my username/password

http://groups.yahoo.com/group/dungog_net/files/rpms/
has a new rpm e-smith-pam_auth which is a few custom fragments and instructions
do i have some volunteers to find my mistake ?

regards
stephen

[Patrick Schepers]

Does this rpm also work on SME 4.12

IF NO THEN where can I download a compiled version of PAM_AUTH for SME4.12

ELSE "Thank"

[stephen noble]

>Does this rpm also work on SME 4.12
it doesn't work at all !


>IF NO THEN where can I download a compiled version of
>PAM_AUTH for SME4.12

sme5 has it built in so i didn't look, try google, rpmfind ?