On 26/01/19 4:19 pm, Schokobecher wrote: > Hello, > > I'm struggling quite a bit with transitioning from basic_ncsa_auth to > basic_db_auth. > I have some ports where only certain users (sometimes just one) is > allowed to connect/pass the ACL check. > > I'm running Squid 3.28 on Ubuntu > > I have lines like this: > acl userA proxy_auth_regex -i userA > > Which reads the htpasswd file and matches the user based on the regex. That is technically wrong. When figuring out this type of problem the details matter. That is an ACL which reads the HTTP request message for details and matches true if it finds "usera" or any case-insensitive variation of that. It has a prerequisite that the auth system has already authenticated those credentials as valid. But the ACL itself does not do any of that. As a result of that seemingly minor detail that ACL will happily non-match when it should match if the access control using it is a 'fast' category control. Correlated with that it may also wrongly match if the ACL is configured in a '!' modifier. > Port config looks like this: > > http_port 3201 name=3201 > acl userA3201 myportname 3201 > cache_peer example.com parent 3300 0 no-query > no-digest proxy-only standby=60 name=up01 > cache_peer_access up01 allow userA3201 > never_direct allow userA3201 > http_access allow userA3201 userA So "usera" is allowed when they use port 3201. What else have you configured? This line *cannot* be the one allowing other users to that port, nor this user to other ports. Some other line or combination of lines is doing that. > > And that for multiple Ports. > > I now want to transition to basic_db_auth and got it up and running, but > the problem is that the above does not work anymore. All authed users > can now connect to every port. > That implies something in your access controls changed. The few you have mentioned do not show anything related to the problem. OR, maybe you set the DB helper to return OK for users unrelated to the actual HTTP request client. You have omitted those details too. > UserA can use Port 3201,3202,3206 for connecting to the proxy > UserB can't use these and only can use 3315 > > What is the best/cleanest way to regain the above functionality? Cleanest way is to: 1) revert to the old config file. check that it still works. 2) check that the new SQL DB contents match the NCSA htpasswd entries. 3) change only the auth_param "program" line setting which helper is used. Nothing else, not even other auth_param lines should be touched (yet). 4) check that the proxy behaviour has not changed in regards to who is getting to what. - if there is a change then your parameters to the DB helper need fixing. - otherwise problem stated above is solved and you can move on to other changes. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
