Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid with Local Auth and squidGuard Group ACL issue

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pwnell
      last edited by

      I have Squid 3 and squidGuard 1.5 on the latest pfSense.  Squid is in Local authentication mode.  I have three LANs (subnets).  One WAN.  Squid listens on all three subnets.  I have some local user accounts defined in Squid.

      In squidGuard I have some group ACL's.  Basically the first ACL is blocking some content for user "user1".  The second ACL (below it in order) is a catch all for the subnet that user is on, based on IP "192.168.0.0/24", and has fewer restrictions.

      My issue is that user user1 authenticates to the proxy, but the ACL for that user is taken from the second ACL based on the IP address.  It is not giving preference for the user name based ACL that precedes it.  Is this a known issue or am I missing something?  I want to be able to restrict certain sites for a specific user by name, but specify a general list of sites to blocked for all other people on that subnet.  Am I doing it wrong?

      UPDATE: On further inspection, when I create a new squidGuard Group ACL named User1 and with Client (source) user1, pfSense writes out a squidGuard.conf file as follow:

      
      ...
      src User1 {
      	log block.log
      }
      ...
      
      

      In my mind that is wrong.  When I manually amend squidGuard.conf like so:

      
      ...
      src User1 {
      	user user1
      	log block.log
      }
      ...
      
      

      and restart squidGuard, it correctly blocks the user.  This looks like a bug?

      • Moderator please move to Cache/proxy - I only now see there is a new category.
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.