Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 609 — #635
i
i
i
i
i
i
i
i
25
Internet
In another example using these rules, the group teachers always
has access to the Internet. The group students only gets access
Monday to Friday during lunch time.
http_access deny localhost
http_access allow teachers
http_access allow students lunch time
http_access deny all
The list with the http_access entries should only be entered, for the
sake of readability, at the designated position in the /etc/squid/
squid.conf file. That is, between the text
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
# CLIENTS
and the last
http_access deny all
redirect_program /usr/bin/squidGuard
With this option, specify a redirector such as squidGuard, which
allows blocking unwanted URLs. Internet access can be individually
controlled for various user groups with the help of proxy authenti-
cation and the appropriate ACLs. squidGuard is a separate package
that can be installed and configured.
auth_param basic program /usr/sbin/pam_auth
If users must be authenticated on the proxy, set a corresponding pro-
gram, such as pam_auth. When accessing pam_auth for the first
time, the user sees a login window in which to enter the user name
and password. In addition, an ACL is still required, so only clients
with a valid login can use the Internet:
acl password proxy_auth REQUIRED
http_access allow password
http_access deny all
The REQUIRED after proxy_auth can be replaced with a list of permit-
ted user names or with the path to such a list.
ident_lookup_access allow <acl_name>
With this, have an ident request run for all ACL-defined clients to
find each user’s identity. If you apply all to the <acl_name>, this is
valid for all clients. Also, an ident daemon must be running on all
609
SUSE LINUX Enterprise Server