[squid-users] %LOGIN place in squid 5.8 acls
David Touzeau
david at articatech.com
Sun Apr 23 23:33:23 UTC 2023
We have a "problem" with ACLs, and I don't know how to address this
situation in Squid 5.8
Let me explain:
We have an Active Directory group named limited_users that is only
allowed to surf on a very limited list of websites.
These users are therefore forbidden to surf on all sites not listed in
allowed_domains
On the other hand, we have websites in noauth_sites that do not need to
be authenticated by squid but are not allowed to be used by
limited_users group
In logic, we would write the following ACLs.
external_acl_type ads_group ttl=3600 negative_ttl=1 concurrency=50 children-startup=1 children-idle=1 children-max=20 ipv4 %LOGIN /lib/squid3/groups.pl
acls limited_users ads_group limited_users
acls allowed_domains dstdomain siteallowed.com
acls allowed_domains dstdomain siteallowed.fr
acls allowed_domains dstdomain siteallowed.ch
acls noauth_sites dstdomain office365.com
http_access deny !allowed_domains limited_users all #ACL1
http_access allow noauth_sites #ACL2
But in this case, accessing to office365.com force Squid to send the 407
Authentication request in order to calculate the limited_users in
#ACL1, then the second ACL is not effective because the request is
blocked before by the 407.
The %LOGIN switch in the external ACL ads_group activates the
identification mode.
If we use the %un switch instead , it works but it becomes the counter,
ACL#1 is not processed anymore since the authentication is not requested
because the %un switch is too smooth.
What I don't understand is that SQUID is trying to calculate the
limited_user object when the first allowed_domain object already returns
FALSE.
Whatever the result of the objects that follow allowed_domain, the rule
will always fail.
In the case where limited_user is in the first place, the logic is correct.
Two questions:
Is there a way for SQUID to not compute all http_access objects if the
first one fails?
What would be the best rule that could meet this goal?
regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230424/df31ccac/attachment.htm>
More information about the squid-users
mailing list