Re: Antwort: Re: Order of http_access allow/deny

Yuri Voinov <yvoinov@xxxxxxxxx> · Wed, 04 Feb 2015 18:41:17 +0600



    -----BEGIN PGP SIGNED MESSAGE----- 

    Hash: SHA1 

     
    As you can see (and warning your get shown it) the problem is not in
    ACL's.

    
    But in auth helper or near it:

    
    ext_ldap_group_acl: WARNING: could not bind to binddn 'Invalid
    credentials

    
    04.02.2015 18:34, Andreas.Reschke@xxxxxxxxx пишет:

    > "squid-users"
      <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> schrieb am
      04.02.2015 13:13:49:

      >

      > > Von: Leonardo Rodrigues <leolistas@xxxxxxxxxxxxxx>

      > > An: squid-users@xxxxxxxxxxxxxxxxxxxxx

      > > Datum: 04.02.2015 13:14

      > > Betreff: Re:  Order of http_access
      allow/deny

      > > Gesendet von: "squid-users"
      <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>

      > >

      > > On 04/02/15 09:19, Andreas.Reschke@xxxxxxxxx wrote:

      > > Hi there,

      > > Is there a order of http_access allow/deny? If I
      activate

      > > "http_access deny !chkglwebhttp" nobody can use the
      proxy, squid

      > > allways ask for user and password (user and password is
      correct)

      > >

      > > ######

      > > acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http

      > > acl sellingUser external LDAPLookup
      GGPY-LO-Web-Allowed-Selling

      > > acl socialUser external LDAPLookup
      GGPY-LO-Web-Allowed-Social

      > > acl allforbUser external LDAPLookup
      GGPY-LO-Web-Allowed-All

      > > acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put

      > > acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User

      > > acl auth proxy_auth REQUIRED

      > > acl permitt_ips src 10.143.10.247/32

      > > acl FTP proto FTP

      > > acl PUT method PUT

      > >

      > > # whitelisten

      > > http_access allow open-sites all

      > > http_access allow localhost

      > > http_access allow permitt_ips !denied-sites
      !social-sites

      > > http_access allow indien DAY

      > > http_access deny indien

      > > #http_access deny !chkglwebhttp

      > > http_access allow selling-sites sellingUser

      > > http_access allow social-sites socialUser

      > >

      > >     Actually, and i dont know if this a bug or a desired
      behavior,

      > > denying a group seems to always (at least to me) brings
      the

      > > authentication popup. To avoid that and make things
      really work as

      > > expected, i usually add an 'all' to the denying clause.
      As the 'all'

      > > rule will match anything, it wont change the denying or
      not of your

      > > rule. And it will make things work. Actually this hint
      was found on

      > > the mailing list archives.

      > >

      > >     So, instead of

      > >

      > > http_access deny !chkglwebhttp

      > >

      > >     try using

      > >

      > > http_access deny !chkglwebhttp all

      > >

      > >     if your 'indien' acl, which is also used on a deny
      rule, is also

      > > a group rule (that cannot be confirmed on the conf you
      posted), just

      > > add the all as well. In summary, always add an 'all' to
      an

      > > http_access rule which envolves denying by any king of
      group checking.

      > >

      > >

      > >

      > >

      >

      > > --

      > >

      > >

      > >    Atenciosamente / Sincerily,

      > >    Leonardo Rodrigues

      > >    Solutti Tecnologia

      > >    http://www.solutti.com.br
      <http://www.solutti.com.br/>

      > >

      > >    Minha armadilha de SPAM, NÃO mandem email

      > >    gertrudes@xxxxxxxxxxxxxx

      > >    My SPAMTRAP, do not email it

      > >

      > >

      > > _______________________________________________

      > > squid-users mailing list

      > > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > > http://lists.squid-cache.org/listinfo/squid-users

      >

      > Hi Leonardo,

      >

      > thanks for you answer. I've tested it with "http_access deny
      !chkglwebhttp all", so no access is allowed.

      > I always get "ext_ldap_group_acl: WARNING: could not bind to
      binddn 'Invalid credentials'"

      >

      >

      >

      > Mit freundlichen Grüßen / Kind regards

      >

      > Mr. Andreas Reschke

      > andreas.reschke@xxxxxxxxx, http://www.mahle.com
      <http://www.mahle.com/>

      >

      >

      > _______________________________________________

      > squid-users mailing list

      > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > http://lists.squid-cache.org/listinfo/squid-users

    
    -----BEGIN PGP SIGNATURE-----


    Version: GnuPG v2


    iQEcBAEBAgAGBQJU0hNtAAoJENNXIZxhPexG3VUIAMV7PVirelNNZ3WaqU4Hy8EW


    rwLkqMRu4tpMxWbqL3I6UaC9kjDVQUTso6zDTs99k+811JYnM36kbpE6ExzQXibg


    /2AMsm9I9wTtqxEIn7JIIrvu/7fsy1AIAW/UfsFavjIhnGfYs+/Gwt6eAnnEfb64


    MTQ/eyf8cZbZJv41UgBhWatYJsAMxkLN0ge069npmu0boe6ZkfZje5m71oCs0PQf


    NqXQ4A10Vlqji5m5//Rlsh8JuaE9lXOSuVS9MTawkttB7J1AKRVj0ehKsnoL7RRn


    JCtMQuACiOiHEaYYyvbaDV5JAXpjbCDU1lD44bDx8zp1cwBNnKwY6vF+B3JEaQc=


    =Zx1q


    -----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users