[squid-users] help with acl order and deny_info pages

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 16 15:00:56 UTC 2015 

On 17/09/2015 12:37 a.m., Marko Cupać wrote:
> Hi,
> 
> I'm trying to setup squid in a way that it authenticates users via
> kerberos and grants different levels of web access according to ldap
> query of MS AD groups.After some trials and errors I have found acl
> order which apparently does not trigger reauthentication (auth
> dialogues in browsers although I don't even provide basic auth).

What makes you think browser dialog box has anything to do with Basic auth?
All it means is that the browser does not know what credentials will
work. The ones tried (if any) have been rejected with a challenge
response (401/407) for valid ones. It may be the browser password manager.

If you are using only Kerberos auth then users enter their Kerberos
username and password into the dialog to allow the browser to fetch the
Kerberos token (or keytab entry) it needs to send to Squid.


> Here's relevant part:
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> http_access deny !auth all
> http_access allow !basic_domains !basic_extensions basic_users
> http_reply_access allow !basic_mimetypes basic_users
> http_access allow !advanced_domains !advanced_extensions advanced_users
> http_access allow expert_users all
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> http_access allow localhost
> http_access deny all
> 
> I'd like to know which acl triggered the ban, so I've created custom
> error page:
> 
> error_directory /usr/local/etc/squid/myerrors
> deny_info ERR_BASIC_EXTENSION basic_extensions
> 
> The problem is that my custom error page does not trigger when I expect
> it to (member of basic_users accessing URL with extension listed in
> basic_extensions) - ERR_ACCESS_DENIED is triggered instead. I guess
> this is because of last matching rule which is http_access deny all.

Perhapse.

But, basic_extensions is never the last listed ACL in a denial rule.
There is never a deny action associated with the ACL. That is why the
deny_info response template is not being used.

> 
> Is there another way how I can order acls so that I don't trigger
> reauthentication while triggering deny_info?

Not without the ACL definition details.

Amos

More information about the squid-users mailing list