On 10/07/2012 9:37 p.m., Carlo Filippetto wrote:
2012/7/10 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 10/07/2012 8:22 p.m., Carlo Filippetto wrote:
Hi all,
I need to create a rules where some users, logged in with ntlm, must
be restrictet only in few sites.
I tried something as:
acl RESTRICTED_USER proxy_auth "/etc/squid/restricted_user.allow"
acl RESTRICTED_WEB dstdomain "/etc/squid/restricted_web.limited"
http_reply_access allow RESTRICTED_WEB RESTRICTED_USER
http_reply_access deny all RESTRICTED_USER
The magic ACL "all" only means something when its on the end (right hand
side) of the line.
By placing "all" on the end of a line containing authentication ACLs you
prevent login challenge from being done by *that* line.
Also note that by doing these restructions on *reply* access, it means the
user/clients details have already been sent to the remote website for
processing. Only the remote websites reponse is blocked from delivery to the
client. NTLM could be doing some very strange thinsg with its multiple
requests.
There is no reason why these rules cannot be done in http_access where it
is safer and NTLM cannot have such dangerous side effects. I suggest moving
them and seeing what improves.
I tried to use http_access but in this case on every page I tried to
access out of the restriscted ones I receive an authentication
request, and it isn't a good thing
Client who did not send credentials are asked to do so. Authentication
does not work without credentials.
Now I remove the 'all' from the second "http_reply_access" line and
seems works fine.
Strange. As I said "all" was not doing anything on that line, just
wasting space in the config file.
Thank's for the explanation on the use of "http_reply_access", but I
don't know another command that block the sites and don't asks for
authentication
Adding "all" on the right-hand side of both lines, and making them
"http_access" instead of "http_reply_access" will do that. Just make
sure these are under the lines which authenticate all your users.
Amos
