[squid-users] help with acl order and deny_info pages

[Marko Cupać]

Hi,

I'm trying to setup squid in a way that it authenticates users via
kerberos and grants different levels of web access according to ldap
query of MS AD groups.After some trials and errors I have found acl
order which apparently does not trigger reauthentication (auth
dialogues in browsers although I don't even provide basic auth).
Here's relevant part:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access deny !auth all
http_access allow !basic_domains !basic_extensions basic_users
http_reply_access allow !basic_mimetypes basic_users
http_access allow !advanced_domains !advanced_extensions advanced_users
http_access allow expert_users all
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow localhost
http_access deny all

I'd like to know which acl triggered the ban, so I've created custom
error page:

error_directory /usr/local/etc/squid/myerrors
deny_info ERR_BASIC_EXTENSION basic_extensions

The problem is that my custom error page does not trigger when I expect
it to (member of basic_users accessing URL with extension listed in
basic_extensions) - ERR_ACCESS_DENIED is triggered instead. I guess
this is because of last matching rule which is http_access deny all.

Is there another way how I can order acls so that I don't trigger
reauthentication while triggering deny_info?

Thank you in advance.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/