Re: proxy_auth and http_reply_access

[Chris Robertson <crobertson@xxxxxxx>]

Jérôme Loyet wrote:
> Hello guys,
>
> I have a problem configuring squid basic ACL.
>
> Here is what I need:
> - Allow only requests on port 80 (PORT80)
> - Allow to join certain domain (DOMAINS)
> - Allow to get xml files (XML)
> - Authenticated users can get whatever they want on any std ports (AUTH)
>
> The rules should be order as is: AUTH or (PORT80 and (XML or
> DOMAINS)). At the begening the rule AUTH did not exist. My ACL looked
> like this:
>
>   
> > acl network src 10.0.0.0/8
> >
> > acl rule_port80 port 80
> >
> > acl rule_domain domain eplf2.intel-lehren.de
> > acl rule_domain domain database.clamav.net
> > acl rule_domain domain gouv.fr
> > acl rule_domain domain cnr.groupe-sigma.com
> >
> > acl rule_rep_header rep_header Content-Type -i ^text/xml
> > acl rule_rep_header rep_header Content-Type -i ^application/xml
> > acl rule_rep_header rep_header Content-Type -i ^application/xhtml+xml
> > acl rule_rep_header rep_header Location -i ^.
> >
> > http_access allow network rule_port80
> > http_access deny network all
> >
> > http_reply_access allow network rule_domain
> > http_reply_access allow network rule_rep_header
> > http_reply_access deny network all
> >     
>
> Then I had to add the AUTH rule. here is the lines I added:
>
>   
> > auth_param basic program /usr/local/oss/squid/libexec/ncsa_auth \
> > /usr/local/oss/squid/etc/passwd
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >     
>
>   
> > acl auth_users proxy_auth REQUIRED
> >
> > # Just before the "http_reply_access deny network all" line
> > http_reply_access allow all auth_users
> >     

But the requests (http_access) are not allowed to go out.  Replace 
"http_access deny network all" with "http_access deny !auth_users 
network", and (assuming you have the standard Safe_ports acl to limit 
these requests to "standard ports") you should be set.

> And guess what ? I doesn't work :(
>
> The proxy_auth conf is fine cause I tested to use the auth_users rule
> in http_access and it works as expected.
>
> Is there a problem when using in conjunction http_replay_access et a
> proxy_auth rule ? Or did I do something wrong in my conf ?
>
> Thanks for your answers
>
> ++ Jerome
>   

Chris