[squid-dev] [PATCH] auth_schemes directive

Alex Rousskov rousskov at measurement-factory.com
Wed Nov 30 19:00:58 UTC 2016 

On 11/30/2016 12:06 AM, Alex Rousskov wrote:
> Perhaps there is a way to keep the per-scheme access list advantage
> without opening the 403 Pandora box and preserving the whole-list
> visualization provided by auth_schemes?
> 
> For example, we could support something like this:
> 
>   auth_schemes "ALL except S1"    acl1 ...
>   auth_schemes "ALL except S1,S2" acl2 ...
>   auth_schemes S1,S2              acl3 ...
>   auth_schemes ALL                acl4 ...
> 
> but I do not like how this syntax essentially moves operators inside
> quoted strings.
> 
> Another alternative is:
> 
>   auth_schemes S1    deny  acl1 ... # ALL except S1
>   auth_schemes S1,S2 deny  acl2 ... # ALL except S1 and S2
>   auth_schemes S1,S2 allow acl3 ... # just S1 and S2
>   auth_schemes ALL   allow acl4 ... # ALL
> 
> (with the configuration implementation similar to the existing
> request_header_access rules).
> 
> Unfortunately, in all these cases, we would have to special-case
> denying/excepting all schemes to avoid opening the 403 Pandora box. Only
> the current auth_schemes implementation avoids that 403 problem (because
> an empty list is a syntax-level/configure-time violation).

I just got a nice illustration why that 403-via-lack-of-schemes Pandora
box should remain closed:

A customer has indicated that "auth_schemes NONE" support would make
writing their configurations a little easier. That comment appeared to
support your assertion that lack-of-schemes should be treated as a
special useful 403 Forbidden case. However, to my surprise, the
follow-up conversation revealed that the customer expected "auth_schemes
NONE" to _allow_ access, not forbid it!

This example of diametrically opposed expectations reinforces my
original worries about supporting this special "no authentication
schemes" case. I think we should continue to rely on http_access to
permit or forbid access (including permitting or forbidding access
without authentication) and require at least one authentication scheme
to be available when authentication schemes are configured/used.

Said that, there might still be a way to configure the list of schemes
better than the posted auth_schemes does. I have not found it yet though.

Alex.

More information about the squid-dev mailing list