Andrew Hodgson escreveu:
Hi, I have a Squid server used on a test network. I want to allow some users to authenticate through the proxy if they are on specific IP addresses, to test software functionality, using basic authentication. However, the rest of the clients should go through without authentication. I have ACLS such as: Acl Authenticated_IPs src 10.10.10.50 10.10.10.51 proxy_auth REQUIRED Acl Test_Network src 10.10.10.0/24 10.10.30.0/24 http_access allow Authenticated_IPs http_access allow Test_Network This obviously doesnt work because the proxy_auth REQUIRED bit at the end of the first ACL is not understood by the SRC part. So is there any other way to get a similar configuration working?
Simply split your ACLs !!! acl Authentication proxy_auth REQUIRED acl Authenticated_IPs src 10.10.10.50 10.10.10.51 acl Test_Network src 10.10.10.0/24 10.10.30.0/24 http_access allow Authenticated_IPs Authentication http_access allow Test_NetworkOne thing that you should always notice when using networks WITH and networks WITHOUT authentication ....
in http_access rules with more than one ACL, ACLs are evaluated linearly, that means, in the order YOU configure them. On the example:
http_access allow Authenticated_IPs Authentication http_access allow Test_Networkthe first http_access rule will first evaluate IP first and then, if Authenticated_IPs ACL match, it will evaluate Authentication which will give the username/password window on the browser. If we have done:
http_access allow Authentication Authenticated_IPsAuthentication would be evaluated first and would give the authentication windows no matter which ip the request is coming, because the source IP address would be only evaluated after authentication successfully happen. So, if you have exchanged ACL order, EVERYBODY would see the authentication windows, including people from Test_Network.
Other way of avoiding this would be having the 'http_access allow Test_Network' BEFORE the other http_access rule. So, no matter the ACL order, Test_Network would be allowed before the authentication ACLs are called.
On larger environments, which mixed authenticated and non-authenticated rules, sometimes is PRETTY tricky to correctly order http_access rules and have everything working properly.
-- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@xxxxxxxxxxxxxx My SPAMTRAP, do not email it
<<attachment: smime.p7s>>
