[squid-users] Order of http_access allow/deny

Leonardo Rodrigues leolistas at solutti.com.br
Wed Feb 4 12:13:49 UTC 2015 

On 04/02/15 09:19, Andreas.Reschke at mahle.com wrote:
> Hi there,
> Is there a order of http_access allow/deny? If I activate "http_access 
> deny !chkglwebhttp" nobody can use the proxy, squid allways ask for 
> user and password (user and password is correct)
>
> ######
> acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http
> acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling
> acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social
> acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All
> acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put
> acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User
> acl auth proxy_auth REQUIRED
> acl permitt_ips src 10.143.10.247/32
> acl FTP proto FTP
> acl PUT method PUT
>
> # whitelisten
> http_access allow open-sites all
> http_access allow localhost
> http_access allow permitt_ips !denied-sites !social-sites
> http_access allow indien DAY
> http_access deny indien
> #http_access deny !chkglwebhttp
> http_access allow selling-sites sellingUser
> http_access allow social-sites socialUser

     Actually, and i dont know if this a bug or a desired behavior, 
denying a group seems to always (at least to me) brings the 
authentication popup. To avoid that and make things really work as 
expected, i usually add an 'all' to the denying clause. As the 'all' 
rule will match anything, it wont change the denying or not of your 
rule. And it will make things work. Actually this hint was found on the 
mailing list archives.

     So, instead of

http_access deny !chkglwebhttp

     try using

http_access deny !chkglwebhttp all

     if your 'indien' acl, which is also used on a deny rule, is also a 
group rule (that cannot be confirmed on the conf you posted), just add 
the all as well. In summary, always add an 'all' to an http_access rule 
which envolves denying by any king of group checking.





-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150204/3472a509/attachment.html>

More information about the squid-users mailing list