On Tue, 8 Feb 2005, Oliver Hookins wrote:
I've never quite understood it... hence my problem. Let me run this by you though.
It's an ordered list of rules
http_access allow|deny acl AND acl AND ...
OR
http_access allow|deny acl AND acl AND ...
OR
...wher AND/OR is in the logic absolute sense, not the english fuzzy one.
If the request is for one of the allowedsites or from the list of IP addresses in SURFING, the AuthGroup will never even be touched so NTLM authentication is not activated?
So I should put http_access allow AuthGroup at the very top so that NTLM authentication is forced on all requests.
Then you will allow AuthGroup to access anything.
Then if the request is neither from a user in the authorised LDAP group, or from an IP address in SURFING, or to an allowedsite (or from localhost) it will be denied?
If you do
http_access allow A http_access allow B http_access allow C
then the request will be allowed if it matches either A, B or C.
If you do
http_access allow A B C
then the request will be allowed if it matches all of A B and C.
http_access processing is always done top-down left to right.
When does Squid decided if it needs to activate the proxy_auth password required thing?
As soon as it encounters a acl requiring authentication when processing the http_access rules.
During parsing of the configuration file or when a request is made?
When the request is made.
Regards Henrik
