Restrict Web Access by screen or user

By default the system will let everyone on the network access to the Web. There may by times when you want to restrict this access. Here are some samples to give you some ideas.

First some technical stuff - restriction is handled by ACL (Access Control Lists) at 1st glance you may think they are to complicated - there not - read on.

ACL's 'define' a group of users, a specific PC, a set of time etc., once the ACL is defined you can then tell the system what to do with the ACL.

Lets look at some examples:

• I want to block the PC in reception from accessing the web
  Define the acl acl Reception src 192.168.10.100

  The acl is called 'Reception' it's of type 'src' (Source Address) and the IP address of the PC is '192.168.10.100.

  Now we want to deny it access with http_access deny Reception

  This just says do not allow (deny) access to 'Reception' from using the protocol http_access - that is, they are blocked from Web Access.

  So this would appear as:

  acl Reception src 192.168.10.100
  http:access deny Reception
  

• I want to only allow the office PC access during the day
  We define the office PC as we did in the last example acl Office src 192.168.10.101

  Now we need to tell the system what the 'Working Day' is so we define another acl.

  acl Working_Day time D 08:00-18:00

  this has given it a name 'Working_Day', it is related to 'time', the 'D' indicated Monday-Friday (see the config file for a full list of day abreviations) and office hours are between 8am and 6pm.

  The 'time' acl can not handle times spaning midnight - there are ways round it as we will see later, but you could also phrase the question as 'Do not allow the office PC to access outwith the working day' - that's what we will do.

  The line http_access deny !Working_Hours office. The ! in front of Working_Hours reveses it - times outwith those specified.

  So our full acl's are:

  acl Office src 192.168.10.101
  acl Working_Day time D 08:00-18:00
  http_access deny !Working_Day Office
  

• I only want the PC in the Nurse's Flat to be given access at night
  This is almost identical to the above one - just remove the !:

  acl Flat src 192.168.10.103
  acl Working_Day time D 08:00-18:00
  http_access deny Working_Day Flat
  

• All the examples so far have been for one PC - I have two PC's at Reception

  It does not matter if there is one or 20, just add them to the 'src' acl e.g.

  acl Reception src 192.168.10.100 192.168.10.55
  http:access deny Reception
  

  This will block both PC's at reception.

• I have blocked both PC's but if the Practice Manager is on she needs access
  You can setup user authentication, there are a couple of extra steps which are covered in separate guide as they only need be done once.

  We have our Reception PC's defined with acl Reception src 192.168.10.100 192.168.10.55

  We now need to tell the system about the Practice manager, with

  acl Practice_Manager proxy_auth tom

  this gives the ACL a meaningfull name, it uses the acl type 'proxy_auth' (e.g. need some way of knowing if the user 'tom' is the Practice manager or not and finally who is the practice manager.

  Then we add the acl telling the system to let 'tom' access so you add: http_access allow Practice_Manager BUT all of a sudden every screen in the building is asking for authorisation - what you need to do is combine both as per:

  acl Reception src 192.168.10.100 192.168.10.55
  acl Practice_Manager proxy_auth tom
  http_access allow Reception Practice_Manager
  

  This now only applies to the reception PC's and only the Practice manager (tom in this example) can use the web on them. (If you want the senior partner to do reception work AND access then net - just add his/her name as well.).

  Note: The authentication is only valid by default for 1 hour, if the Practice Manager leves the web browser up fro longer they will have to re-authenticate it.

How Do I Change them?

Use the Admin menu:

>

Look for the section:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Make sure blocks etc. appear BEFORE everything
acl Allowed_Hosts src 192.168.10.0/24   
#(1)

# Want to block a specific PC so only has access out of hours
acl Rachel src 192.168.10.99           
acl Working_Hours time 09:00-20:00    
http_access deny !Working_hours Rachel 

#(2)
# Let local Addresses access to http
http_access allow Allowed_Hosts    

# And finally deny all other access to this proxy
http_access deny all