On 24/04/2023 11:33 am, David Touzeau wrote:
We have a "problem" with ACLs, and I don't know how to address this
situation in Squid 5.8
Let me explain:
We have an Active Directory group named limited_users that is only
allowed to surf on a very limited list of websites.
These users are therefore forbidden to surf on all sites not listed in
allowed_domains
On the other hand, we have websites in noauth_sites that do not need
to be authenticated by squid but are not allowed to be used by
limited_users group
In logic, we would write the following ACLs.
external_acl_type ads_group ttl=3600 negative_ttl=1 concurrency=50 children-startup=1 children-idle=1 children-max=20 ipv4 %LOGIN /lib/squid3/groups.pl
acls limited_users ads_group limited_users
This acl requires both login to succeed and group to match in order to
return MATCH.
acls allowed_domains dstdomain siteallowed.com
acls allowed_domains dstdomain siteallowed.fr
acls allowed_domains dstdomain siteallowed.ch
acls noauth_sites dstdomain office365.com
http_access deny !allowed_domains limited_users all #ACL1
http_access allow noauth_sites #ACL2
But in this case, accessing to office365.com force Squid to send the
407 Authentication request in order to calculate the limited_users
in #ACL1, then the second ACL is not effective because the request is
blocked before by the 407.
Sounds correct.
The %LOGIN switch in the external ACL ads_group activates the
identification mode.
Yes.
If we use the %un switch instead , it works but it becomes the
counter, ACL#1 is not processed anymore since the authentication is
not requested because the %un switch is too smooth.
Yes. The login is not existing, therefore has no group.
What I don't understand is that SQUID is trying to calculate the
limited_user object when the first allowed_domain object already
returns FALSE.
You configured the "!" (not) operator to invert the match result.
Returning FALSE becomes a MATCH.
Whatever the result of the objects that follow allowed_domain, the
rule will always fail.
Not quite. A request that provides credentials associated with the
expected group will pass.
In the case where limited_user is in the first place, the logic is
correct.
Two questions:
Is there a way for SQUID to not compute all http_access objects if the
first one fails?
No. Because there is more than one HTTP request going on here. Each
request is independent for Squid.
What would be the best rule that could meet this goal?
Structure your access lines as such;
# things not requiring login are checked first
http_access allow noauth_sites
# then do the login
http_access deny !login
# then check things that need login
http_access deny limited_users !allowed_sites
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
