Specifications
B
Proxy Server: Squid
should always be http_access deny all. In the following example,
the localhost has free access to everything while all other hosts are
denied access completely.
http_access allow localhost http_access deny all
Another example, where the previously defined ACLs are used: The
group teachers always has access to the Internet, while the group
students only gets access Monday to Friday during lunch time.
http_access deny localhost http_access allow teachers
http_access allow students lunch time http_access deny all
The list with the http_access entries should only be entered, for the
sake of readability, at the designated position in the /etc/squid.conf
file — between the text
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS
and the last
http_access deny all
redirect_program /usr/bin/squidGuard With this option, a redirector, such
as SquidGuard, which is able to block unwanted URLs, can be spec-
ified. Internet access can be individually controlled for various user
groups with the help of proxy authentication and the appropriate
ACLs. SquidGuard is a package in and of itself which can be sepa-
rately installed and configured.
authenticate_program /usr/sbin/pam_auth If users must be authenticated on
the proxy, a corresponding program, such as pam_auth, can be spec-
ified here. When accessing pam_auth for the first time, the user will
see a login window where the user name and password must be en-
tered. In addition, an ACL is still required so only clients with a valid
login can surf the Internet:
acl password proxy_auth REQUIRED
http_access allow password http_access deny all
The REQUIRED after proxy_auth can be replaced with a list of permit-
ted user names or with the path to such a list.
177SuSE Linux – Firewall on CD2