<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 04/02/15 09:19,
<a class="moz-txt-link-abbreviated" href="mailto:Andreas.Reschke@mahle.com">Andreas.Reschke@mahle.com</a> wrote:<br>
</div>
<blockquote
cite="mid:OF2562A001.22F6DDA1-ONC1257DE2.003D6208-C1257DE2.003E2E16@mahle.com"
type="cite"><font size="2" face="sans-serif">Hi there,</font>
<br>
<font size="2" face="sans-serif">Is there a order of http_access
allow/deny?
If I activate "http_access deny !chkglwebhttp" nobody can use
the proxy, squid allways ask for user and password (user and
password is
correct)</font>
<br>
<br>
<font size="2" face="sans-serif">######</font>
<br>
<font size="2" face="sans-serif">acl chkglwebhttp external
LDAPLookup
GGPY-LO-Web-Http</font>
<br>
<font size="2" face="sans-serif">acl sellingUser external
LDAPLookup
GGPY-LO-Web-Allowed-Selling</font>
<br>
<font size="2" face="sans-serif">acl socialUser external
LDAPLookup GGPY-LO-Web-Allowed-Social</font>
<br>
<font size="2" face="sans-serif">acl allforbUser external
LDAPLookup
GGPY-LO-Web-Allowed-All</font>
<br>
<font size="2" face="sans-serif">acl ftpputUser external
LDAPLookup GGPY-LO-Web-Ftp-Put</font>
<br>
<font size="2" face="sans-serif">acl loggingUser external
LDAPLookup
GGPY-LO-Web-Log-User</font>
<br>
<font size="2" face="sans-serif">acl auth proxy_auth REQUIRED</font>
<br>
<font size="2" face="sans-serif">acl permitt_ips src
10.143.10.247/32</font>
<br>
<font size="2" face="sans-serif">acl FTP proto FTP</font>
<br>
<font size="2" face="sans-serif">acl PUT method PUT</font>
<br>
<br>
<font size="2" face="sans-serif"># whitelisten</font>
<br>
<font size="2" face="sans-serif">http_access allow open-sites all</font>
<br>
<font size="2" face="sans-serif">http_access allow localhost</font>
<br>
<font size="2" face="sans-serif">http_access allow permitt_ips
!denied-sites
!social-sites</font>
<br>
<font size="2" face="sans-serif">http_access allow indien DAY</font>
<br>
<font size="2" face="sans-serif">http_access deny indien</font>
<br>
<font size="2" face="sans-serif">#http_access deny !chkglwebhttp</font>
<br>
<font size="2" face="sans-serif">http_access allow selling-sites
sellingUser</font>
<br>
<font size="2" face="sans-serif">http_access allow social-sites
socialUser</font>
<br>
</blockquote>
<br>
Actually, and i dont know if this a bug or a desired behavior,
denying a group seems to always (at least to me) brings the
authentication popup. To avoid that and make things really work as
expected, i usually add an 'all' to the denying clause. As the 'all'
rule will match anything, it wont change the denying or not of your
rule. And it will make things work. Actually this hint was found on
the mailing list archives.<br>
<br>
So, instead of<br>
<br>
http_access deny !chkglwebhttp<br>
<br>
try using<br>
<br>
http_access deny !chkglwebhttp all<br>
<br>
if your 'indien' acl, which is also used on a deny rule, is also
a group rule (that cannot be confirmed on the conf you posted), just
add the all as well. In summary, always add an 'all' to an
http_access rule which envolves denying by any king of group
checking.<br>
<br>
<br>
<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
<a class="moz-txt-link-freetext" href="http://www.solutti.com.br">http://www.solutti.com.br</a>
Minha armadilha de SPAM, NÃO mandem email
<a class="moz-txt-link-abbreviated" href="mailto:gertrudes@solutti.com.br">gertrudes@solutti.com.br</a>
My SPAMTRAP, do not email it
</pre>
</body>
</html>