Eugene wrote:
Hello Chris,
Friday, April 6, 2007, 11:53:15 PM, you wrote:
CR> # Allow domain computers to perform updates w/o proxy authentication
CR> http_access allow domain_comp files
CR> # Allow logged in users to access anything
CR> http_access allow domain_user
CR> # Deny non-logged in users anything not explicitly allowed
CR> http_access deny media # Send TCP_RESET
CR> http_access deny files # Send TCP_RESET
CR> http_access deny all
CR> Toss the rest.
CR> # Allow domain computers replies of octet-stream
CR> http_reply_access allow domain_comp mime_files
CR> # Allow logged in users anything
CR> http_reply_access allow domain_user
CR> # Deny non-logged in users anything not explicitly allowed
CR> http_reply_access deny mime_files # Send TCP_RESET
CR> http_reply_access deny mime_media # Send TCP_RESET
CR> http_reply_access deny all
CR> Toss the rest.
I've tested this configuration, does not work for me. It gives same
result.
But if i explicitly allow http_reply_access for domain_comp before any ntlm-based acl
it works fine.
Real world example, domain_user on domain_comp opens google.com,
and gets access is denied.
http_reply_access allow domain_comp mime_files
http_reply_access allow domain_comp #<< Here is explicit allow
http_reply_access allow domain_user # if previous line is commented, deny happens here, but it should not!
That leads me to believe that the reply mime type is not
application/octet-stream, or that there is a request for a
non-application in there, throwing a wrench in the whole operation.
http_reply_access deny mime_files
http_reply_access deny mime_media
http_reply_access allow all #this rule should allow access for domain_comp
Thanks.
Chris
