Re: ACLs and localhost

"paul cooper" <pdcooper@xxxxxxxxxxxxxxxx> · Mon, 24 Mar 2008 10:11:09 -0000 (UTC)

there is something in all this i really am not understanding.Sorry to be
so stupid.

AIUI now, it looks at the ACLs and processes them until it finds one that
matches, and then it stops matching them and allows access. It will only
deny a page when its has processed all the ACLS and NOT  found a match.

if i have only  1 authenticated user (emma)  then the time based ACL
('testing') it denies access as it should .
When i add another user access (http_access  allow andrew)  the browser 
authentication box comes up , i put in 'emma' and it gives me access.
Im restarting squid and clearing the browser cache between all these
attempts.

hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe'
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl andrew proxy_auth REQUIRED
acl emma proxy_auth REQUIRED
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl testing  time MTWHF 07:30-08:00
hepworth emma # grep ^http /etc/squid/squid.conf
http_port 3128
http_access allow emma testing
http_access deny localhost
http_access deny all
hepworth emma #

2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370
2008/03/24 09:52:44| aclMatchAclList: checking all
2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:52:44| aclMatchAclList: checking emma
2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:52:44| aclMatchUser: user is emma, case_insensitive is 0
2008/03/24 09:52:44| Top is (nil), Top->data is Unavailable
2008/03/24 09:52:44| aclMatchUser: user REQUIRED and auth-info present.
2008/03/24 09:52:44| aclMatchAclList: checking testing
2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing  time MTWHF
07:30-08:00'
2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e
2008/03/24 09:52:44| aclMatchAclList: no match, returning 0
2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost'
2008/03/24 09:52:44| aclMatchAclList: checking localhost
2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src
127.0.0.1/255.255.255.255'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: match found, returning 0
2008/03/24 09:52:44| aclCheckCallback: answer=0
2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/ is DENIED,
because it matched 'localhost'
2008/03/24 09:52:44| The reply for GET http://grolma.no-ip.org/ is
ALLOWED, because it matched 'localhost'
2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370
2008/03/24 09:52:44| aclMatchAclList: checking all
2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:52:44| aclMatchAclList: checking emma
2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:52:44| aclCacheMatchAcl: cache hit on acl '0x82a7cc8'
2008/03/24 09:52:44| aclMatchAclList: checking testing
2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing  time MTWHF
07:30-08:00'
2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e
2008/03/24 09:52:44| aclMatchAclList: no match, returning 0
2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost'
2008/03/24 09:52:44| aclMatchAclList: checking localhost
2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src
127.0.0.1/255.255.255.255'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: match found, returning 0
2008/03/24 09:52:44| aclCheckCallback: answer=0
2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/favicon.ico
is DENIED, because it matched 'localhost'
2008/03/24 09:52:44| The reply for GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'localhost'

hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe_ports'
<as before>

hepworth emma # cat /etc/squid/squid.conf |grep ^http
http_port 3128
http_access allow emma testing
http_access allow andrew
http_access deny localhost
http_access deny all
hepworth emma #

2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:56:04| aclMatchAclList: checking emma
2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:56:04| aclMatchUser: user is emma, case_insensitive is 0
2008/03/24 09:56:04| Top is (nil), Top->data is Unavailable
2008/03/24 09:56:04| aclMatchUser: user REQUIRED and auth-info present.
2008/03/24 09:56:04| aclMatchAclList: checking testing
2008/03/24 09:56:04| aclMatchAcl: checking 'acl testing  time MTWHF
07:30-08:00'
2008/03/24 09:56:04| aclMatchTime: checking 596 in 450-480, weekbits=3e
2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
2008/03/24 09:56:04| aclCheck: checking 'http_access allow andrew'
2008/03/24 09:56:04| aclMatchAclList: checking andrew
2008/03/24 09:56:04| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED'
2008/03/24 09:56:04| aclMatchUser: user is emma, case_insensitive is 0
2008/03/24 09:56:04| Top is (nil), Top->data is Unavailable
2008/03/24 09:56:04| aclMatchUser: user REQUIRED and auth-info present.
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| The request GET http://grolma.no-ip.org/ is ALLOWED,
because it matched 'andrew'
2008/03/24 09:56:04| aclCheck: checking 'cache deny QUERY'
2008/03/24 09:56:04| aclMatchAclList: checking QUERY
2008/03/24 09:56:04| aclMatchAcl: checking 'acl QUERY urlpath_regex
cgi-bin \?'
2008/03/24 09:56:04| aclMatchRegex: checking '/'
2008/03/24 09:56:04| aclMatchRegex: looking for 'cgi-bin'
2008/03/24 09:56:04| aclMatchRegex: looking for '\?'
2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
2008/03/24 09:56:04| aclCheck: NO match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| clientProcessHit: HIT
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab2b0
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_reply_access allow all'
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| The reply for GET http://grolma.no-ip.org/ is
ALLOWED, because it matched 'all'
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:56:04| aclMatchAclList: checking emma
2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:56:04| aclCacheMatchAcl: cache hit on acl '0x82a7cc8'
2008/03/24 09:56:04| aclMatchAclList: checking testing
2008/03/24 09:56:04| aclMatchAcl: checking 'acl testing  time MTWHF
07:30-08:00'
2008/03/24 09:56:04| aclMatchTime: checking 596 in 450-480, weekbits=3e
2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
2008/03/24 09:56:04| aclCheck: checking 'http_access allow andrew'
2008/03/24 09:56:04| aclMatchAclList: checking andrew
2008/03/24 09:56:04| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED'
2008/03/24 09:56:04| aclCacheMatchAcl: cache hit on acl '0x82a7d38'
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| The request GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'andrew'
2008/03/24 09:56:04| aclCheck: checking 'cache deny QUERY'
2008/03/24 09:56:04| aclMatchAclList: checking QUERY
2008/03/24 09:56:04| aclMatchAcl: checking 'acl QUERY urlpath_regex
cgi-bin \?'
2008/03/24 09:56:04| aclMatchRegex: checking '/favicon.ico'
2008/03/24 09:56:04| aclMatchRegex: looking for 'cgi-bin'
2008/03/24 09:56:04| aclMatchRegex: looking for '\?'
2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
2008/03/24 09:56:04| aclCheck: NO match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab2b0
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_reply_access allow all'
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| The reply for GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'all'
hepworth emma #