Search squid archive

Antwort: Re: Antwort: Re: Order of http_access allow/deny

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

"squid-users" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> schrieb am 04.02.2015 13:41:17:

> Von: Yuri Voinov <yvoinov@xxxxxxxxx>
> An: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Datum: 04.02.2015 13:41
> Betreff: Re: [squid-users] Antwort: Re:  Order of http_access allow/deny
> Gesendet von: "squid-users" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> As you can see (and warning your get shown it) the problem is not in ACL's.
>
> But in auth helper or near it:
>
> ext_ldap_group_acl: WARNING: could not bind to binddn 'Invalid credentials

And how can i debug it? All I found is too much of output. How can I customize the debug level?


>
>
> 04.02.2015 18:34, Andreas.Reschke@xxxxxxxxx пишет:
> > "squid-users" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> schrieb
> am 04.02.2015 13:13:49:
> >
> > > Von: Leonardo Rodrigues <leolistas@xxxxxxxxxxxxxx>
> > > An: squid-users@xxxxxxxxxxxxxxxxxxxxx
> > > Datum: 04.02.2015 13:14
> > > Betreff: Re: [squid-users] Order of http_access allow/deny
> > > Gesendet von: "squid-users" <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>
> > >
> > > On 04/02/15 09:19, Andreas.Reschke@xxxxxxxxx wrote:
> > > Hi there,
> > > Is there a order of http_access allow/deny? If I activate
> > > "http_access deny !chkglwebhttp" nobody can use the proxy, squid
> > > allways ask for user and password (user and password is correct)
> > >
> > > ######
> > > acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http
> > > acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling
> > > acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social
> > > acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All
> > > acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put
> > > acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User
> > > acl auth proxy_auth REQUIRED
> > > acl permitt_ips src 10.143.10.247/32
> > > acl FTP proto FTP
> > > acl PUT method PUT
> > >
> > > # whitelisten
> > > http_access allow open-sites all
> > > http_access allow localhost
> > > http_access allow permitt_ips !denied-sites !social-sites
> > > http_access allow indien DAY
> > > http_access deny indien
> > > #http_access deny !chkglwebhttp
> > > http_access allow selling-sites sellingUser
> > > http_access allow social-sites socialUser
> > >
> > >     Actually, and i dont know if this a bug or a desired behavior,
> > > denying a group seems to always (at least to me) brings the
> > > authentication popup. To avoid that and make things really work as
> > > expected, i usually add an 'all' to the denying clause. As the 'all'
> > > rule will match anything, it wont change the denying or not of your
> > > rule. And it will make things work. Actually this hint was found on
> > > the mailing list archives.
> > >
> > >     So, instead of
> > >
> > > http_access deny !chkglwebhttp
> > >
> > >     try using
> > >
> > > http_access deny !chkglwebhttp all
> > >
> > >     if your 'indien' acl, which is also used on a deny rule, is also
> > > a group rule (that cannot be confirmed on the conf you posted), just
> > > add the all as well. In summary, always add an 'all' to an
> > > http_access rule which envolves denying by any king of group checking.
> > >
> > >
> > >
> > >
> >
> > > --
> > >
> > >
> > >    Atenciosamente / Sincerily,
> > >    Leonardo Rodrigues
> > >    Solutti Tecnologia
> > >    http://www.solutti.com.br <http://www.solutti.com.br/>
> > >
> > >    Minha armadilha de SPAM, NÃO mandem email
> > >    gertrudes@xxxxxxxxxxxxxx
> > >    My SPAMTRAP, do not email it
> > >
> > >
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users@xxxxxxxxxxxxxxxxxxxxx
> > > http://lists.squid-cache.org/listinfo/squid-users
> >
> > Hi Leonardo,
> >
> > thanks for you answer. I've tested it with "http_access deny !
> chkglwebhttp all", so no access is allowed.
> > I always get "ext_ldap_group_acl: WARNING: could not bind to
> binddn 'Invalid credentials'"
> >
> >
> >
> > Mit freundlichen Grüßen / Kind regards
> >
> > Mr. Andreas Reschke
> > andreas.reschke@xxxxxxxxx, http://www.mahle.com <http://www.mahle.com/>
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users@xxxxxxxxxxxxxxxxxxxxx
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>  
> iQEcBAEBAgAGBQJU0hNtAAoJENNXIZxhPexG3VUIAMV7PVirelNNZ3WaqU4Hy8EW
> rwLkqMRu4tpMxWbqL3I6UaC9kjDVQUTso6zDTs99k+811JYnM36kbpE6ExzQXibg
> /2AMsm9I9wTtqxEIn7JIIrvu/7fsy1AIAW/UfsFavjIhnGfYs+/Gwt6eAnnEfb64
> MTQ/eyf8cZbZJv41UgBhWatYJsAMxkLN0ge069npmu0boe6ZkfZje5m71oCs0PQf
> NqXQ4A10Vlqji5m5//Rlsh8JuaE9lXOSuVS9MTawkttB7J1AKRVj0ehKsnoL7RRn
> JCtMQuACiOiHEaYYyvbaDV5JAXpjbCDU1lD44bDx8zp1cwBNnKwY6vF+B3JEaQc=
> =Zx1q
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users

Mit freundlichen Grüßen / Kind regards

Mr. Andreas Reschke
andreas.reschke@xxxxxxxxx, http://www.mahle.com 
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux