On 28/06/18 07:06, Verwaiser wrote: > Hello, > what would be the right way to implement the authentification bypass list > linked from adobe: > https://helpx.adobe.com/content/dam/help/attachments/Creative_Cloud_for_enterprise_Service_Endpoints.pdf > Ouch. Rather a lot of domain names and explicitly states that it is incomplete. Some of them are *extremely* popular (eg Twitter, Google Maps, Google Play Store). WTF why does ACC need Google Maps access? Maybe looking for a User-Agent header string matching the tools that break will narrow it down to not allowing just anyone access to all those services. > I can write the list into a file, ok, but how can I setup the acl for > correct bypassig all the adresses from this list? > Is the "allways_direct" acl right? No. 'always_direct allow' means "dont use any cache_peer for this request". There is no "bypass" directive. Every directive that you have configured a need for auth to happen needs adjusting such that it also works without that auth requirement when your new ACL(s) match the transaction. > Should I place it before the LDAP > authentication part in squid.conf? Yes. For every directive which currently requires an auth related test, place a test which matches the 'bypass' ACL first, OR make it so that you don't have to require the auth details at that point. NP: The latest Squid versions note ACL type which can be useful here to test username (the note named 'user' contains the username) without requiring that it exists nor triggering auth. The 'best practice' design is to configure http_access with an ordered structure like so: # The default / recommended security checks at the top # ending at that default line "INSERT YOUR CUSTOM RULES BELOW HERE." # custom allow/deny rules that do not need auth # authenticate http_access deny !login # custom allow/deny rules that need auth credentials # and finally ... http_access deny all The rest of your settings can assume that auth has taken place already (*if* necessary) and not re-test it themselves. > Is there more to work on? Everything which uses an authentication, username, or group ACL test needs looking at to see whether a bypass is needed. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
