On Mon, 7 Feb 2005, Oliver Hookins wrote:
On my 2.5STABLE3 box I didn't explicitly have a http_access rule referring to the proxy_auth. I had one referring to the squid_ldap_group helper ACL though, and that seemed to work.
Correct.
Anyway here's the list of acl's and http_access lines so maybe you can see what I'm doing wrong on the 2.5STABLE7:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow allowedsites http_access allow localhost http_access allow SURFING # http_access allow AuthGroup #
See "Squid FAQ 10.1 Access Controls - Introduction" for an in-depth description of how http_access works.
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html
I've never quite understood it... hence my problem. Let me run this by you though. If the request is for one of the allowedsites or from the list of IP addresses in SURFING, the AuthGroup will never even be touched so NTLM authentication is not activated?
So I should put http_access allow AuthGroup at the very top so that NTLM authentication is forced on all requests. Then if the request is neither from a user in the authorised LDAP group, or from an IP address in SURFING, or to an allowedsite (or from localhost) it will be denied?
When does Squid decided if it needs to activate the proxy_auth password required thing? During parsing of the configuration file or when a request is made?
Regards, Oliver