Hi, I'm trying to setup squid in a way that it authenticates users via kerberos and grants different levels of web access according to ldap query of MS AD groups.After some trials and errors I have found acl order which apparently does not trigger reauthentication (auth dialogues in browsers although I don't even provide basic auth). Here's relevant part: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS http_access deny !auth all http_access allow !basic_domains !basic_extensions basic_users http_reply_access allow !basic_mimetypes basic_users http_access allow !advanced_domains !advanced_extensions advanced_users http_access allow expert_users all # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS http_access allow localhost http_access deny all I'd like to know which acl triggered the ban, so I've created custom error page: error_directory /usr/local/etc/squid/myerrors deny_info ERR_BASIC_EXTENSION basic_extensions The problem is that my custom error page does not trigger when I expect it to (member of basic_users accessing URL with extension listed in basic_extensions) - ERR_ACCESS_DENIED is triggered instead. I guess this is because of last matching rule which is http_access deny all. Is there another way how I can order acls so that I don't trigger reauthentication while triggering deny_info? Thank you in advance. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/ _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
