Search squid archive

Fwd: Re: About proxy_auth alc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Il 23/06/10 04.49, Amos Jeffries ha scritto:

 On Tue, 22 Jun 2010 16:30:52 +0200, Alberto Cappadonia
 <alberto.cappadonia@xxxxxxxxx>   wrote:


 Hi,

 I've a question about proxy_auth acl.

 if I've an acl list like the following

 acl friends proxy_auth mary jane carl
 acl target dst 10.0.0.1

 http_access friends allow
 http_access target deny


 On startup your Squid barfs with "FATAL: Bungled squid.conf"

 The syntax is:
   "http_access" ( "allow" | "deny" ) [acl] [acl ...]



yes, of course. i made a mistake while writing the e-mail! :)




 What happens when mary contacts 10.0.0.1? always allow?


 Yes. "mary", "jane" and "carl" are allowed unrestricted access to HTTP
 once logged in.



 If "http_access friends allow" is evaluated to true, is the second also
 checked?


 No. *_access lines always evaluate to one of two results:
    true ->   stop and do (allow|deny).
    false ->   test next rule.



 I mean, the proxy_auth acl is considered by squid like the others acl,


 or


 is
 evaluated only the first time and when the timeout expires?


 ACL are evaluated every test.

 All ACL which require remote lookups (ie DNS lookups, proxy_auth, ident
 and external) each have an internal cache of results which gets checked
 first before the slow helper is asked. Some protocols see M/ttl of M
 requests, others see M of M requests.



Ok thanks! This this the answer I'd like to receice! Because It was not
clear to me how squid
"mixes" packet header info (src, dst, port, ...., acls) and acls
requiring remote lookups





 Is there some doc explaining the state-chart of the entire
 authentication scheme?


 No. Each authentication protocol (auth_param X) differs.

 Note that *authentication* is very different to the *authorization* scheme
 you are asking about.
   Access Controls authorizes some particular request to happen or not to
 happen. Sometimes, as in your config an user is required to be
 authenticated before they can be authorized access. Usually they can be
 denied without authentication (ie external machines).

 The state diagram of your access controls is called squid.conf.
   * Starting at the top each line is evaluated top-down left-to-right.
   * First word is the point of transfer affected by the control
 (http_access ->   each HTTP request).
   * Second word is the policy to enforce (allow/deny).
   * Third and following is a list of stats to be tested.
   * if an ACL is true, the next on the line gets tested, end of line the
 policy applied.
   * if an ACL is false, the next line gets checked.

 http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes



Thanks for the answer!

Regards
Alberto

<<attachment: smime.p7s>>

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux