On 19/02/2013 8:19 a.m., David Touzeau wrote:
Dear i need some clarifications about the "AND" operator in
http_access (or any other tokens using ACLs)
I cannot found where i'm missed...
I need to bann some websites except for some specified users.
i create 2 acls:
acl MyAllowedU proxy_auth david jhon mirna
acl bannedw dstdomain .msn.com .yahoo.com
basically i can do that:
http_access deny !MyAllowedU bannedw
Basically yes, they are AND together. However...
Is there any change behavior if i do
http_access deny bannedw !MyAllowedU
They are tested in order and each of those types has different
side-effects from testing.
bannedw has no side-effects beyond DNS lookup on raw-IP requests.
MyAllowedU has the side effect of triggering authentication re-challenge
if it is last on the line and fails to match a user (missing, wrong
password, other user).
In your initial setup it only triggers authentication challenge if
credentials are *missing*.
Other than the auth behaviour the second setup is a faster ACL testing
sequence on all traffic which fails to match bannedw.
If you need to change the order for performance place the " all" at the
right-hand end of the line to prevent the change of auth behaviour.
Amos
