On 26/04/2016 3:28 a.m., Jok Thuau wrote: > On Mon, Apr 25, 2016 at 7:33 AM, Hack Ensolo wrote: > >> ### http_access rules >> http_access allow manager localhost >> http_access allow auth >> http_access deny !auth >> http_access allow kerbusers >> http_access allow localnet >> http_access deny manager >> http_access deny all >> >> > Since the rules are "first match", once you have "allow auth", squid is > done. it will not look at the group membership (under "kerbusers"). > > you should look at the acl type "all-of" and "any-of" to build your logic: > acl authn_authz all-of auth kerbusers > > might be helpful and would make your config slightly easier to read... I this simple case it will just make it a bit more confusing. Especially since the admin is clearly not understanding the basics properly yet. It also slows down Squid with additional authentication checks compared to the config he does need. > > With that in mind, reconsider how you organize the rules... > Seconded. <http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes> Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
