Thanks guys! My problem was solved by answer of Amos. On Tue, Aug 28, 2012 at 7:30 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 28/08/2012 9:18 a.m., Eliezer Croitoru wrote: >> >> On 8/27/2012 11:23 PM, Rafael Gomes wrote: >>> >>> acl rafael external check_user rafael.gomes >>> http_access deny rafael >> >> you must understand that the check is yes\no match. >> it will request usename for: >> http_access deny rafael >> >> so if you have wrong username squid will move on to the next acl since the >> username is not a match to "rafael" acl. > > > Worse than this. You need the username details to supply %LOGIN. Which in > turn is used to determine what the username details are... > > So Squid must already be aware of the username, finished performing > authentication in order to start calling ths ACL test. > > There are two choices: > 1) If you are already authenticating everyone. Create an "acl rafael > proxy_auth rafael" test. That ACL will check the credentials and match only > for that one user. So when you use it make sure its not on the end of the > line (eg test it with "http_access deny rafael all" to prevent popups) > > 2) use a "fake" authentication helper (bundled now with squid 3.2) to accept > any garbage they send. It will still request credentials from the browser > though. User "Rafael" could simply send username "annie" and get past this > type of security block. > > > Amos -- Rafael Gomes Consultor em TI LPIC-1 MCSO (71) 8318-0284 Atenção: Este e-mail pode conter anexos no formato ODF (Open Document Format)/ABNT (extensões odt, ods, odp, odb, odg). Antes de pedir os anexos em outro formato, você pode instalar gratuita e livremente o BrOffice (http://www.broffice.org).
