我几乎没有试图添加一个互联网接入组,这是我们的terminal,客户只能看到几个网站。
我把它们称为InternetUserTerminal,增加的行用粗体表示,这个房子的星形configuration将不带粗体。
但得到一个不定式的循环,被封锁的站点只对坏的网站,所以标准的用户不会得到坏的限制访问只允许浏览白名单和terminal访问应该类似于受限制,但与其他“白名单” – termiallist 。
有没有更聪明的方法来解决这个漏洞问题? 我也可以解决这个问题,但是我还年轻,所以如果你有2分钟的解释我更聪明的方式,我会非常感谢!
/etc/squid3/squid.confconfiguration文件
cache manager cache_mgr [email protected] provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=somewherein,dc=local" -D [email protected] -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h philipp.somewherein.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ldap authorisation external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=somewherein,dc=local" -D [email protected] -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=System,ou=IT,ou=Verwaltung,ou=Somewherein,dc=somewherein,dc=local))" -h philipp.somewherein.local acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED aclname acltype typename activedirectorygroup acl RestrictedAccess external memberof "/etc/squid3/restricted_access.txt" acl StandardAccess external memberof "/etc/squid3/standard_access.txt" acl FullAccess external memberof "/etc/squid3/full_access.txt" **acl TerminalAccess external memberof "/etc/squid3/terminal_access.txt"** acl allowedsites dstdomain "/etc/squid3/allowedsites.txt" acl blockedsites dstdomain "/etc/squid3/blockedsites.txt" **acl terminalsites dstdomain "/etc/squid3/terminalsites.txt"** squid defaults acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost enforce authentication, order of rules is important for authorization levels http_access deny !auth prevent access to basic auth prompt for BlockedAccess users http_access allow RestrictedAccess allowedsites auth http_access deny RestrictedAccess http_access allow FullAccess auth **http_access allow TerminalAccess terminalsites auth** **http_access deny TerminalAccess** http_access deny blockedsites http_access allow StandardAccess auth DO NOT REMOVE THE FOLLOWING LINE http_access allow auth access_log /var/log/squid3/access.log squid !allowedsites squid Debian defaults http_port 3128 hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320