> Von: Leonardo Rodrigues <leolistas@xxxxxxxxxxxxxx>
> An: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Datum: 04.02.2015 13:14
> Betreff: Re: Order of http_access allow/deny
> Gesendet von: "squid-users" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
>
> On 04/02/15 09:19, Andreas.Reschke@xxxxxxxxx wrote:
> Hi there,
> Is there a order of http_access allow/deny? If I activate
> "http_access deny !chkglwebhttp" nobody can use the proxy, squid
> allways ask for user and password (user and password is correct)
>
> ######
> acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http
> acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling
> acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social
> acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All
> acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put
> acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User
> acl auth proxy_auth REQUIRED
> acl permitt_ips src 10.143.10.247/32
> acl FTP proto FTP
> acl PUT method PUT
>
> # whitelisten
> http_access allow open-sites all
> http_access allow localhost
> http_access allow permitt_ips !denied-sites !social-sites
> http_access allow indien DAY
> http_access deny indien
> #http_access deny !chkglwebhttp
> http_access allow selling-sites sellingUser
> http_access allow social-sites socialUser
>
> Actually, and i dont know if this a bug or a desired behavior,
> denying a group seems to always (at least to me) brings the
> authentication popup. To avoid that and make things really work as
> expected, i usually add an 'all' to the denying clause. As the 'all'
> rule will match anything, it wont change the denying or not of your
> rule. And it will make things work. Actually this hint was found on
> the mailing list archives.
>
> So, instead of
>
> http_access deny !chkglwebhttp
>
> try using
>
> http_access deny !chkglwebhttp all
>
> if your 'indien' acl, which is also used on a deny rule, is also
> a group rule (that cannot be confirmed on the conf you posted), just
> add the all as well. In summary, always add an 'all' to an
> http_access rule which envolves denying by any king of group checking.
>
>
>
>
> --
>
>
> Atenciosamente / Sincerily,
> Leonardo Rodrigues
> Solutti Tecnologia
> http://www.solutti.com.br
>
> Minha armadilha de SPAM, NÃO mandem email
> gertrudes@xxxxxxxxxxxxxx
> My SPAMTRAP, do not email it
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
Hi Leonardo,
thanks for you answer. I've tested it with "http_access deny !chkglwebhttp all", so no access is allowed.
I always get "ext_ldap_group_acl: WARNING: could not bind to binddn 'Invalid credentials'"
Mit freundlichen Grüßen / Kind regards
Mr. Andreas Reschke
andreas.reschke@xxxxxxxxx, http://www.mahle.com
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
