>> Is it possible to rewrite the URL *after* the ACL checks? I'm putting >> an extra argument into URL (for ACL) - but they aren't needed after >> the proxy. So I'm trying to use rewrite for stripping the argument - >> but it seems the ACL checks are done after done after the rewrites, >> despite the order. > > > Squid does check the http_access controls before the url_rewrite_program is > used. If you are finding otherwise, please produce the output of "squid -v" > and some details of what you are seeing. Well, somehow it get redirected to deny_info URL # ACL REQ: http://www.osnews.com/ DENIED: http://www.osnews.com/ REDIRECT: http://myservice/?req=http%3A%2F%2Fwww.osnews.com%2F%3F REDIRECT: http://www.osnews.com/?key=foo # URL rewrite REDIRECT: http://www.osnews.com/? # ACL kicks in again... DENIED: http://www.osnews.com/ REDIRECT: http://myservice/?req=http%3A%2F%2Fwww.osnews.com%2F%3F ... And finally browser cancel the request because of too many redirects. url_rewrite_program is not very well documented, my helper is returning: REDIRECT: 302:http://www.osnews.com/ NOCHANGE: http://www.osnews.com And here's the version info: Squid Cache: Version 3.3.4 configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' > BTW: this is an *extremely* nasty abuse of HTTP. Please reconsider using an > HTTP header to pass this information. > Thanks for the suggestion, I'm aware this solution is not ideal. What I'm trying to achieve is cookie based authorisation. Because the client IP address is behind NAT, I can't identify them using it. And using authentication dialog is no-go as well. I already tried setting the cookie from same address where the proxy is running, but apparently browsers do not send cookies to proxy when connecting another site. So working with the URL seemed only way to go. Br, Juha
