On Tue, 29 Mar 2005, Serassio Guido wrote:
ISA server have this kind of behavior, and if could re-create with squit it would be pretty nice.
I know the ISA Server behaviour.
What you asking for, is trigger again an authentication request to the browser when the user authentication is correct, but an external acl, or any other acl, deny the access to Squid.
Hmm.. this is how it is supposed to work.
Ah, no it doesn't for external acls, only proxy_auth.
This does not work:
acl group external ... http_access deny !group
but this does work:
acl group external ... acl all_users proxy_auth REQUIRED http_access deny !group all_users
and this forces relogin to not take place:
acl some_auth_acl .... acl all src 0.0.0.0/0 http_access deny !some_auth_acl all
You can open a feature request on Bugzilla.
Yes, please do. Fixing this to also work on external acls like expected is pretty easy, but a bug report is needed to connect the patch to.
We should probably also add a directive to globally turn on/off this automatic request for a new login on access denials while touching this part of the code. As you say not all admins want automatic request for login on access denial. Ad even if this can be controlled by http_access rule logics as shown above, having a global directive may be easier for some.
Regards Henrik
