Thanks Amos for the mistake, yes my explains
was wrong.
Your are right, the first object !allowed_domains matches, so
squid usually compute the second object. This an expected
behavior.
According your suggest my problem was the first rule "http_access allow noauth_sites"
in first place.
yes, it will allow requests but, requests will be allowed for all
other rules too.
It make sense, why compute all others rules if the first one is
allowed ?
if a add office365.com in noauth_sites object but i did not want
office365.com for limited_users,
the noauth_sites
in first place will disable all "deny" rules.
I'm wrong ?
On 24/04/2023 11:22, Amos Jeffries
wrote:
On
24/04/2023 11:33 am, David Touzeau wrote:
We have a "problem" with ACLs, and I don't
know how to address this situation in Squid 5.8
Let me explain:
We have an Active Directory group named limited_users that is
only allowed to surf on a very limited list of websites.
These users are therefore forbidden to surf on all sites not
listed in allowed_domains
On the other hand, we have websites in noauth_sites that do not
need to be authenticated by squid but are not allowed to be used
by limited_users group
In logic, we would write the following ACLs.
external_acl_type ads_group ttl=3600 negative_ttl=1
concurrency=50 children-startup=1 children-idle=1
children-max=20 ipv4 %LOGIN /lib/squid3/groups.pl
acls limited_users ads_group limited_users
This acl requires both login to succeed and group to match in
order to return MATCH.
acls allowed_domains dstdomain
siteallowed.com
acls allowed_domains dstdomain siteallowed.fr
acls allowed_domains dstdomain siteallowed.ch
acls noauth_sites dstdomain office365.com
http_access deny !allowed_domains limited_users all #ACL1
http_access allow noauth_sites #ACL2
But in this case, accessing to office365.com force Squid to send
the 407 Authentication request in order to calculate the
limited_users in #ACL1, then the second ACL is not effective
because the request is blocked before by the 407.
Sounds correct.
The %LOGIN switch in the external ACL
ads_group activates the identification mode.
Yes.
If we use the %un switch instead , it
works but it becomes the counter, ACL#1 is not processed anymore
since the authentication is not requested because the %un switch
is too smooth.
Yes. The login is not existing, therefore has no group.
What I don't understand is that SQUID is
trying to calculate the limited_user object when the first
allowed_domain object already returns FALSE.
You configured the "!" (not) operator to invert the match result.
Returning FALSE becomes a MATCH.
Whatever the result of the objects that
follow allowed_domain, the rule will always fail.
Not quite. A request that provides credentials associated with the
expected group will pass.
In the case where limited_user is in the
first place, the logic is correct.
Two questions:
Is there a way for SQUID to not compute all http_access objects
if the first one fails?
No. Because there is more than one HTTP request going on here.
Each request is independent for Squid.
What would be the best rule that could
meet this goal?
Structure your access lines as such;
# things not requiring login are checked first
http_access allow noauth_sites
# then do the login
http_access deny !login
# then check things that need login
http_access deny limited_users !allowed_sites
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
David Touzeau - Artica Tech France
Development team, level 3 support
----------------------------------
P: +33 6 58 44 69 46
www: https://wiki.articatech.com
www: http://articatech.net
|
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
