Re: Order of http_access allow/deny

Leonardo Rodrigues <leolistas@xxxxxxxxxxxxxx> · Wed, 04 Feb 2015 10:13:49 -0200



    On 04/02/15 09:19,
      Andreas.Reschke@xxxxxxxxx wrote:

    
    Hi there,
      

      Is there a order of http_access
        allow/deny?
        If I activate "http_access deny !chkglwebhttp" nobody can use
        the proxy, squid allways ask for user and password (user and
        password is
        correct)
      

      ######
      

      acl chkglwebhttp external
        LDAPLookup
        GGPY-LO-Web-Http
      

      acl sellingUser external
        LDAPLookup
        GGPY-LO-Web-Allowed-Selling
      

      acl socialUser external
        LDAPLookup GGPY-LO-Web-Allowed-Social
      

      acl allforbUser external
        LDAPLookup
        GGPY-LO-Web-Allowed-All
      

      acl ftpputUser external
        LDAPLookup GGPY-LO-Web-Ftp-Put
      

      acl loggingUser external
        LDAPLookup
        GGPY-LO-Web-Log-User
      

      acl auth proxy_auth REQUIRED
      

      acl permitt_ips src
        10.143.10.247/32
      

      acl FTP proto FTP
      

      acl PUT method PUT
      

      # whitelisten
      

      http_access allow open-sites all
      

      http_access allow localhost
      

      http_access allow permitt_ips
        !denied-sites
        !social-sites
      

      http_access allow indien DAY
      

      http_access deny indien
      

      #http_access deny !chkglwebhttp
      

      http_access allow selling-sites
        sellingUser
      

      http_access allow social-sites
        socialUser
      

        Actually, and i dont know if this a bug or a desired behavior,
    denying a group seems to always (at least to me) brings the
    authentication popup. To avoid that and make things really work as
    expected, i usually add an 'all' to the denying clause. As the 'all'
    rule will match anything, it wont change the denying or not of your
    rule. And it will make things work. Actually this hint was found on
    the mailing list archives.

    
        So, instead of

    
    http_access deny !chkglwebhttp

    
        try using

    
    http_access deny !chkglwebhttp all

    
        if your 'indien' acl, which is also used on a deny rule, is also
    a group rule (that cannot be confirmed on the conf you posted), just
    add the all as well. In summary, always add an 'all' to an
    http_access rule which envolves denying by any king of group
    checking.

    
    -- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@xxxxxxxxxxxxxx
	My SPAMTRAP, do not email it


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users