%LOGIN place in squid 5.8 acls

David Touzeau <david@xxxxxxxxxxxxxx> · Mon, 24 Apr 2023 01:33:23 +0200



    We have a "problem" with ACLs, and I don't know how to address this
    situation in Squid 5.8

    Let me explain:

    We have an Active Directory group named limited_users that is only
    allowed to surf on a very limited list of websites.

    These users are therefore forbidden to surf on all sites not listed
    in allowed_domains

    On the other hand, we have websites in noauth_sites that do not need
    to be authenticated by squid but are not allowed to be used by
    limited_users group

    
    In logic, we would write the following ACLs.

    
    external_acl_type ads_group ttl=3600 negative_ttl=1 concurrency=50 children-startup=1 children-idle=1 children-max=20 ipv4 %LOGIN /lib/squid3/groups.pl

acls limited_users ads_group limited_users
acls allowed_domains dstdomain siteallowed.com
acls allowed_domains dstdomain siteallowed.fr
acls allowed_domains dstdomain siteallowed.ch

acls noauth_sites dstdomain office365.com


http_access deny !allowed_domains limited_users all #ACL1
http_access allow noauth_sites #ACL2
    

    But in this case, accessing to office365.com force Squid to send the
    407 Authentication  request in order to calculate the limited_users
    in  #ACL1, then the second ACL is not effective because the request
    is blocked before by the 407.

    The %LOGIN switch in the external ACL ads_group activates the
    identification mode.

    If we use the %un switch instead , it works but it becomes the
    counter, ACL#1 is not processed anymore since the authentication is
    not requested because the %un switch is too smooth.

    
    What I don't understand is that SQUID is trying to calculate the
    limited_user object when the first allowed_domain object already
    returns FALSE.

    Whatever the result of the objects that follow allowed_domain, the
    rule will always fail.

    In the case where limited_user is in the first place, the logic is
    correct.

    
    Two questions: 

    
    Is there a way for SQUID to not compute all http_access objects  if
    the first one fails?

    
    What would be the best rule that could meet this goal?

    
    regards

  
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users