Re: [squid-users] Order of http_access allow/deny

Wed, 04 Feb 2015 04:14:12 -0800 

On 04/02/15 09:19, andreas.resc...@mahle.com wrote:

Hi there,
Is there a order of http_access allow/deny? If I activate "http_access deny !chkglwebhttp" nobody can use the proxy, squid allways ask for user and password (user and password is correct) 

######
acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http
acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling
acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social
acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All
acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put
acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User
acl auth proxy_auth REQUIRED
acl permitt_ips src 10.143.10.247/32
acl FTP proto FTP
acl PUT method PUT

# whitelisten
http_access allow open-sites all
http_access allow localhost
http_access allow permitt_ips !denied-sites !social-sites
http_access allow indien DAY
http_access deny indien
#http_access deny !chkglwebhttp
http_access allow selling-sites sellingUser
http_access allow social-sites socialUser



    Actually, and i dont know if this a bug or a desired behavior, 
denying a group seems to always (at least to me) brings the 
authentication popup. To avoid that and make things really work as 
expected, i usually add an 'all' to the denying clause. As the 'all' 
rule will match anything, it wont change the denying or not of your 
rule. And it will make things work. Actually this hint was found on the 
mailing list archives.


    So, instead of

http_access deny !chkglwebhttp

    try using

http_access deny !chkglwebhttp all


    if your 'indien' acl, which is also used on a deny rule, is also a 
group rule (that cannot be confirmed on the conf you posted), just add 
the all as well. In summary, always add an 'all' to an http_access rule 
which envolves denying by any king of group checking.






--


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        gertru...@solutti.com.br
        My SPAMTRAP, do not email it



_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to