Search squid archive

Re: http_reply_access processing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Chris,

Friday, April 6, 2007, 11:53:15 PM, you wrote:

CR> Eugene wrote:
>> Hello!
>> I've upgraded my squid from 2.5.14 to 2.6.12 and get into trouble with
>> http_reply_access rules processing.
>>
>> In our configuration, client's programs without proxy authentication
>> support is allowed to get access to internet by ip using src type acls.
>>
>> If client matched by 'src' first and if first http_reply_access' rule acl type is  'proxy_auth' , then
>> squid requests auth header (gets none), stops processing next
>> http_reply_access rules and generates X-Squid-Error: ERR_ACCESS_DENIED 0
>>
>>

>>   
CR> # Allow domain computers to perform updates w/o proxy authentication
CR> http_access allow domain_comp files
CR> # Allow logged in users to access anything
CR> http_access allow domain_user
CR> # Deny non-logged in users anything not explicitly allowed
CR> http_access deny media # Send TCP_RESET
CR> http_access deny files # Send TCP_RESET
CR> http_access deny all

CR> Toss the rest.


CR> # Allow domain computers replies of octet-stream
CR> http_reply_access allow domain_comp mime_files
CR> # Allow logged in users anything
CR> http_reply_access allow domain_user
CR> # Deny non-logged in users anything not explicitly allowed
CR> http_reply_access deny mime_files # Send TCP_RESET
CR> http_reply_access deny mime_media # Send TCP_RESET
CR> http_reply_access deny all

CR> Toss the rest.

I've tested this configuration, does not work for me. It gives same
result.

But if i explicitly allow http_reply_access for domain_comp before any ntlm-based acl
it works fine.

Real world example, domain_user on domain_comp opens google.com,
and gets access is denied.

http_reply_access allow domain_comp mime_files
http_reply_access allow domain_comp #<< Here is explicit allow
http_reply_access allow domain_user # if previous line is commented, deny happens here, but it should not!
http_reply_access deny mime_files
http_reply_access deny mime_media
http_reply_access allow all         #this rule should allow access for domain_comp

Thanks.

-- 
Best regards,
 Eugene                            mailto:gonnabefun@xxxxxxxxx
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux