UrlCheckProfiles

• url_check Profiles
  • Using srv_url_check profiles
    • Configuring groups
    • Use web-proxy server authenticated users
    • Define the url databases
    • Configuring group profiles
    • Use acls to assign profiles to groups

url_check Profiles

Using srv_url_check profiles

Asume that you have the following tree groups:

maximum_access = Adam, Jude, Sonia
partial_access = Jake, Bill, Tony
minimum_access = Katrina, Jessica

You need to give full access to the "maximum_access" group, restrict access to porn sites for "partial_access" group and allow only access to whitelisted domains for group "minimum access".

Configuring groups

First of all you need to define the database the users are stored. In c-icap this is done using the lookup tables. Currently the c-icap can use Berkeley DB, text files and LDAP lookup tables. Please read c-icap man page and c-icap.conf file for informations about using and defining lookup tables.

In this wiki page we are assuming that the users/groups are stored in a file. If you have many users for each group, maybe it is better to use the GroupSourceByUser configuration parameter and a lookup table which searches using the username as key.

To make the lookup table where the users/groups stored create the following file (eg the file /var/DBS/c-icap-users-groups.txt):

Adam: maximum_access
Jude: maximum_access
Sonia: maximum_access
Jake: partial_access
Bill: partial_access
Tony: partial_access
Katrina: minimum_access
Jessica: minimum_access

To tell c-icap use the above file for retrieving users groups add the following line in your configuration file:

GroupSourceByUser hash:/var/DBS/c-icap-users-groups.txt

Use web-proxy server authenticated users

Use the following configuration lines in your c-icap.conf file to use users provided by squid:

RemoteProxyUsers on
RemoteProxyUserHeaderEncoded off

Also in your squid.conf file add the following lines:

icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode off

Define the url databases

Define the databases where the urls are stored. In this example we will use some squidGuard databases and some flat text files databases. Also some databases will include urls (urls database) or domains (MyDrugs, MyPorn, Whitelist).

To define a usr/domain database for urlcheck use the url_check.LookupTableDB configuration parameter:

url_check.LookupTableDB urls url hash:/var/DBS/urls.txt
url_check.LookupTableDB adultexp url regex:/var/DBS/adult-regex.txt
url_check.LookupTableDB MyDrugs domain hash:/var/DBS/drugs-domains
url_check.LookupTableDB MyPorn domain hash:/var/DBS/porn-domains
url_check.LookupTableDB Whitelist domain /var/DBS/whitelist.txt

#Some squidGuard databases:
url_check.LoadSquidGuardDB adult /var/BBS/blacklists-toulouse/adult/
url_check.LoadSquidGuardDB porn /var/BBS/blacklists-toulouse/porn/
url_check.LoadSquidGuardDB warez /var/BBS/blacklists-toulouse/warez/
url_check.LoadSquidGuardDB drugs /var/BBS//blacklists-toulouse/drugs/

Configuring group profiles

Define the url_check profiles you need. The PartialAccess profile will allow partial access, the MinimumAccess will allow access only to sites stored in Whitelist lookup table, and the MaximumAccess will allow full access. The profile "default" must always used to define the default url_check action in the case none of the defined profiles matches the c-icap request. In this case by default we are denying access to anyone else except for the users of minimum_access,partial_access and maximum_access groups. The configuration lines we should use are:

url_check.Profile PartialAccess block adultexp
url_check.Profile PartialAccess block porn
url_check.Profile PartialAccess block drugs
url_check.Profile PartialAccess block warez
url_check.Profile PartialAccess block MyDrugs
url_check.Profile PartialAccess block MyPorn

url_check.Profile MinimumAccess pass whitelist
url_check.Profile MinimumAccess block ALL

url_check.Profile MaximumAccess pass ALL

#Also defining a "default" profile required:
url_check.Profile default block ALL

Use acls to assign profiles to groups

Select which profiles used for which users. We should use acls, and the url_check.ProfileAccess configuration parameter to define which acls used to select the correct profile for each group.

acl MINACCS group minimum_access
acl MAXACCS group maximum_access
acl PARTACCS group partial_access

url_check.ProfileAccess MaximumAccess MAXACCS
url_check.ProfileAccess MinimumAccess MINACCS
url_check.ProfileAccess PartialAccess PARTACCS