2012/7/10 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 10/07/2012 8:22 p.m., Carlo Filippetto wrote: >> >> Hi all, >> I need to create a rules where some users, logged in with ntlm, must >> be restrictet only in few sites. >> >> I tried something as: >> >> >> acl RESTRICTED_USER proxy_auth "/etc/squid/restricted_user.allow" >> acl RESTRICTED_WEB dstdomain "/etc/squid/restricted_web.limited" >> >> http_reply_access allow RESTRICTED_WEB RESTRICTED_USER >> http_reply_access deny all RESTRICTED_USER > > > The magic ACL "all" only means something when its on the end (right hand > side) of the line. > > By placing "all" on the end of a line containing authentication ACLs you > prevent login challenge from being done by *that* line. > > Also note that by doing these restructions on *reply* access, it means the > user/clients details have already been sent to the remote website for > processing. Only the remote websites reponse is blocked from delivery to the > client. NTLM could be doing some very strange thinsg with its multiple > requests. > There is no reason why these rules cannot be done in http_access where it > is safer and NTLM cannot have such dangerous side effects. I suggest moving > them and seeing what improves. > I tried to use http_access but in this case on every page I tried to access out of the restriscted ones I receive an authentication request, and it isn't a good thing Now I remove the 'all' from the second "http_reply_access" line and seems works fine. Thank's for the explanation on the use of "http_reply_access", but I don't know another command that block the sites and don't asks for authentication > > >> >> >> It work, but other user seems are affected with continuos >> authentication request. > > > By "user" what do you mean other already logged in *users*? or non-login > *clients*? > > > Amos First of all I authenticate all the users, only a list of these users can't serf on the web but is limited as above. Thanks --- Carlo
