Apply proxy rules to only one usergroup - squid

I am attempting to apply an ACL ruleset to members of a specific usergroup on a Linux box running Squid that I administer.
I have created the ruleset without much difficulty, but I am having difficulty configuring an authentication scheme that will only apply those rules to a specific subset of users on the system, while leaving the remainder of traffic untouched.
It seems that the auth_param setting is what I am looking for, but I haven't had much luck parsing the documentation.
Ideally, I would like an auth_param setting that sends the username to a shell script, which would check for that user's existence in the relevant group, and then return some value to determine whether or not to apply the rules to them.
The documentation seems to suggest that such a mechanism would be possible, but I haven't been able to find any relevant examples.

Related

Syslog-NG: Possible to disable "keep_hostname" but enable for a specific filter?

Was wondering if this was possible at all. I am currently facing a situation where I have a legacy NG system with a number of sources integrated. We are working to slowly transition off of this particular instance, but to do this I need to make sure that the messages that are emitted retain their source host.
Unfortunately, when this legacy environment was crafted, the keep_hostname option was set to false, which meant that the engineers focused on source log specific HOST extraction.
As I am working to tee the data off to the new system, I need the data to retain its source hostname. Ideally one would just flip keep_hostname to yes, but there is too much risk right now as it could impact how data is being parsed throughout the system.
My ask is, while keep_hostname is globally disabled, is there a way that I can enable it within a filter or destination?
Doing this with a globally disabled keep-hostname() option is not really possible as the original host information is lost.
When keep-hostname(no) is used, a feature called "store-raw-message" can be enabled which stores the entire incoming message in the $RAWMSG macro. The raw message definitely contains the original hostname, but then it is up to you to extract the host from the whole message.
My ask is, while keep_hostname is globally disabled, is there a way that I can enable it within a filter or destination?
You can achieve something similar the other way around:
Setting keep-hostname() to yes keeps the original host name intact, but you will have 2 different macros:
$HOST contains the original hostname
$HOST_FROM contains the "source's" hostname
Applying a rewrite rule which overrides $HOST with $HOST_FROM can be added to paths where you want to retain the old behavior.

The use of asterisk in FQDN

Hi I am trying to find the duplicate objects of a Fortigate and I am seeng that we have some fqdns defined for example as *.google.com and other defined as api.google.com. Does the register with asterisk take into account the other fqdn?
Thanks for your attention
Finally, I solved the doubt. The one without asterisk is more restrictive so they are not the same, it wouldnt make sense to remove that object. Nevertheless, Normally when you want to enable a FQDN you would want to allow all the extensions of that fqdns; for example, if you want to allow .maps.google.com and other services of google it would be better to allow *.google.com. Despite of this, a lot of people want to have a more granularized network filtering.

In Firebase, how can I determine whether a user has write access to a node?

...without actually saving data to that node?
For example, I have a chat app. I'd like to check whether a user has write access to a node before showing the "Send message" button.
Define another node with the exact same set of security rules, that exists for no reason other than to perform these checks, and attempt a write there first to see if it finishes without error.
The most common approach is to replicate a similar, simplified version of the rules in your application code. You'd typically only replicate the benign checks, and leave extra validations against malicious users solely on the server.
Although I must admit Doug's version also sounds interesting. :-)

Whitelisting Problems?

I have a huge issue that has to do with whitelisting. I have been doing C++ for about 6 months now and I can't seem to figure out how to pinpoint my targets to limit who can open and use my application with a whitelist.
For example, if the user is not on the whitelist the program would tell them by the way it loads. I would like to see this done with ID's if specific ID matches with the whitelist then that person can use my program.
I have tried doing target drawbacks such as getting IP's, but doing this is so vulnerable if the IP is changed. Also, multiple programs could be opened up on different IDs on that IP, which I don't want.
Sorry if this is very confusing I have just been STRUGGLING with this whitelist I have less hair than I did before I started making the whitelist.
Thanks if you can help, tried to explain the best I could! :)
The general strategy is pretty simple.
First, specify what criteria a user should meet to be on the whitelist.
Second, specify how data about users on the whitelist will be stored.
Third, when the program starts, gather information about the user - when the program starts - that can be compared against the criteria on the whitelist.
Fourth, when comparing data about the user with stored whitelist data, start by assuming the user is NOT on the whitelist and only permit access if a match is found. If there are multiple criteria, you need to decide how to combine them to find a match (e.g. restrict a user to a specific IP, allow a user only if using an IP in a range - which will prevent a user starting the program from home, etc etc)
Fifth, take steps to ensure your program can access the stored whitelist data, but users cannot modify it.
There are many ways to target specific users. First, I need some extract information.. How can you identify a single user ? Your program should be a connection toward any server ? In that case, your user should provide an id and a password or it's a anonymous connection ?

Determining the set of message destinations at runtime in BizTalk application

I’m a complete newbie at BizTalk and I need to create a BizTalk 2006 application which broadcasts messages in a specific way. I’m not asking for a complete solution, but for advise and guidelines, which capabilities of BizTalk I should use.
There’s a message source, for simplicity, say, a directory where the user adds files to publish them. There are several subscribers, each having a directory to receive published files. The number of subscribers can vary in the course of exploitation of the program. There are also some rules which determine if a particular subscriber needs to receive a particular file, based on the filename. For example, each subscriber has a pattern or mask of filename which files they receives must match. Those rules (for example, patterns) can change in time as well.
I don’t know how to do this. Create a set of send ports at runtime, each for each destination? Is it possible? Use one port changing its binding? Would it work correctly with concurrent sendings? Are there other ways?
EDIT
I realized my question may be to obscure and general to prefer one answer over another to accept. So I just upvoted them.
You could look at using dynamic send ports to achieve this - if your subscribers are truly dynamic. This introduces a bit of complexity since you'll need to use an orchestration to configure the send port's properties based on your rules.
If you can, try and remove the complexity. If you know that you don't need to be truly dynamic when adding subscribers (i.e. a subscriber and it's rules can be configured one time only) and you have a manageable number of subscribers then I would suggest configuring each subscriber using it's own send port and use a filter to create subscriptions based on message context properties. The beauty of this approach is that you don't need to create and deploy an orchestration and this becomes a highly performant and scalable solution.
If the changes to the destination are going to be frequent, you are right in seeking a more dynamic solution. One nice solution is using dynamic send ports and the Business Rules Engine. You create rule set for the messages you are receving. This could be based on a destination property or customer ID in the message. Using these facts, the rules engine can return a bunch of information like file mask, server name, ip address of deleiver server, etc. You can thenuse this information to configure the dynamic send in the orchestration. The real nice thing here is that you can update the rule set in the rules engine without redeploying the whole solution. As a newb, these are some advanced concepts, but not as diificult as you may think.
For a simpler solution, you might want to look at setting the FILE Send adapters properties via it's Propery Schema (ie. File name, Directory, etc.). You could pull these values from a database with a helper class inside an expresison shape. On each message ogig out, use the property shcema to set where the message will be sent and named. This way, you just update the database as things change.
Good Luck!

Resources