Topic: Authenticate "allow/deny" Proxy Access

[shanen]

Hi all,
I have a new SME 6 final server with Sarg, Squidguard and Damien Curtain's "proxy-auth" contrib.
I was happy to see that the sarg logs were using the authenticated name of the user to categorise squid traffic. Squidguard only tracks the ip of the user. (I know about ident)
What I would like to achieve is to be able to give some people internet access and not others based on the proxy-auth mod from Damien.
Maybe even a button in server manager on the user page to allow/deny web access.
I have looked at other alternatives and don't want to use static ip's.
My question is: Can I deny proxy access based on the authentication methods used in Damien's proxy-auth contrib. (pam_auth). It looks like it just reads a list of names in a file.
I realise this is a dual authenticating process.
1. SME user?
2. Allowed internet access?

Any ideas or suggestions?

Thanks

Shane

[shanen]

I've had a bit of a look around.
The following file /etc/e-smith/templates/etc/pam.d/squid/10authSQUIDusers
calls the following file /etc/e-smith/pam/accounts.deny

I created a file squid.deny and added the users that can't have internet access. (will look at other options)
Just need to get my head around modifying the server manager panel.


Shane

[mbachmann]

Good. Go Shanen, go. There is a contrib from "SleepySME" to restrict access via static ip - http://vanhees.homeip.net/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=136&ttitle=e-smith-squid-restrict-ip-0.1-1.noarch.rpm - (which you won't use, as i've understood).

[ajkeane]

I use the following two rpm's that allow me to set up users web access. This asks everyone to enter a user name and password to get web access.

sme-squid-1.0-2.i386.rpm
sme-upgppp-1.0-1.noarch.rpm

If you are interested in trying these let me know and I will get them to you.

[shanen]

Thanks for your suggestions guys...
I have resorted to using a file that I edit users manually to deny users proxy access.
Sorry I can't produce a clean solution as I can only hack bits to work as I need.

Sorry

[mbachmann]

And how do achieve it? Which file is it?

[shanen]

I copied the /etc/e-smith/pam/accounts.deny file to the same dir and called it squid.deny
Then edit /etc/e-smith/templates/etc/pam.d/squid/10authSQUIDusers
and change the part that states accounts.deny to squid.deny
Then I edit the file and add the users I don't want to have internet access.
pico /etc/e-smith/pam/squid.deny

I know it's not ideal, but it works...
I have since had an opportunity to look at the dansguardian contrib from dungog.net...
It is very slick and IMO is worth the money.
I have a client requiring locked down internet access and this looks like the solution.

Hope this helps

Shane

[shanen]

BTW
This will only work if you have the Damien Curtain's "proxy-auth" contrib.