[squid-users] %LOGIN place in squid 5.8 acls

Mon Apr 24 12:14:35 UTC 2023

Thanks Amos for the mistake, yes my explains was wrong.
Your are right, the first object !allowed_domains matches, so squid 
usually compute the second object. This an expected behavior.

According your suggest my problem was the first rule "http_access allow 
noauth_sites" in first place.
yes, it will allow requests but, requests will be allowed for all other 
rules too.
It make sense, why compute all others rules if the first one is allowed ?

if a add office365.com in noauth_sites object but i did not want 
office365.com for limited_users, the noauth_sites in first place will 
disable all "deny" rules.

I'm wrong ?

On 24/04/2023 11:22, Amos Jeffries wrote:
> On 24/04/2023 11:33 am, David Touzeau wrote:
>> We have a "problem" with ACLs, and I don't know how to address this 
>> situation in Squid 5.8
>> Let me explain:
>> We have an Active Directory group named limited_users that is only 
>> allowed to surf on a very limited list of websites.
>> These users are therefore forbidden to surf on all sites not listed 
>> in allowed_domains
>> On the other hand, we have websites in noauth_sites that do not need 
>> to be authenticated by squid but are not allowed to be used by 
>> limited_users group
>>
>> In logic, we would write the following ACLs.
>>
>> external_acl_type ads_group ttl=3600 negative_ttl=1 concurrency=50 
>> children-startup=1 children-idle=1 children-max=20 ipv4 %LOGIN 
>> /lib/squid3/groups.pl
>>
>> acls limited_users ads_group limited_users
>
> This acl requires both login to succeed and group to match in order to 
> return MATCH.
>
>
>> acls allowed_domains dstdomain siteallowed.com
>> acls allowed_domains dstdomain siteallowed.fr
>> acls allowed_domains dstdomain siteallowed.ch
>>
>> acls noauth_sites dstdomain office365.com
>>
>>
>> http_access deny !allowed_domains limited_users all #ACL1
>> http_access allow noauth_sites #ACL2
>>
>> But in this case, accessing to office365.com force Squid to send the 
>> 407 Authentication  request in order to calculate the limited_users 
>> in  #ACL1, then the second ACL is not effective because the request 
>> is blocked before by the 407.
>
> Sounds correct.
>
>> The %LOGIN switch in the external ACL ads_group activates the 
>> identification mode.
>
> Yes.
>
>> If we use the %un switch instead , it works but it becomes the 
>> counter, ACL#1 is not processed anymore since the authentication is 
>> not requested because the %un switch is too smooth.
>
> Yes. The login is not existing, therefore has no group.
>
>
>> What I don't understand is that SQUID is trying to calculate the 
>> limited_user object when the first allowed_domain object already 
>> returns FALSE.
>
> You configured the "!" (not) operator to invert the match result.
> Returning FALSE becomes a MATCH.
>
>
>> Whatever the result of the objects that follow allowed_domain, the 
>> rule will always fail.
>
> Not quite. A request that provides credentials associated with the 
> expected group will pass.
>
>> In the case where limited_user is in the first place, the logic is 
>> correct.
>>
>> Two questions:
>>
>> Is there a way for SQUID to not compute all http_access objects if 
>> the first one fails?
>
> No. Because there is more than one HTTP request going on here. Each 
> request is independent for Squid.
>
>
>> What would be the best rule that could meet this goal?
>
> Structure your access lines as such;
>
>   # things not requiring login are checked first
>   http_access allow noauth_sites
>
>   # then do the login
>   http_access deny !login
>
>   # then check things that need login
>   http_access deny limited_users !allowed_sites
>
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
David Touzeau - Artica Tech France
Development team, level 3 support
----------------------------------
P: +33 6 58 44 69 46
www:https://wiki.articatech.com
www:http://articatech.net  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230424/1ba1bf42/attachment.htm>