<tt><font size=2>"squid-users" <squid-users-bounces@lists.squid-cache.org>
schrieb am 04.02.2015 13:13:49:<br>
<br>
> Von: Leonardo Rodrigues <leolistas@solutti.com.br></font></tt>
<br><tt><font size=2>> An: squid-users@lists.squid-cache.org</font></tt>
<br><tt><font size=2>> Datum: 04.02.2015 13:14</font></tt>
<br><tt><font size=2>> Betreff: Re: [squid-users] Order of http_access
allow/deny</font></tt>
<br><tt><font size=2>> Gesendet von: "squid-users" <squid-users-bounces@lists.squid-cache.org></font></tt>
<br><tt><font size=2>> <br>
> On 04/02/15 09:19, Andreas.Reschke@mahle.com wrote:</font></tt>
<br><tt><font size=2>> Hi there, <br>
> Is there a order of http_access allow/deny? If I activate <br>
> "http_access deny !chkglwebhttp" nobody can use the proxy,
squid <br>
> allways ask for user and password (user and password is correct) <br>
> <br>
> ###### <br>
> acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http <br>
> acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling <br>
> acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social <br>
> acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All <br>
> acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put <br>
> acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User <br>
> acl auth proxy_auth REQUIRED <br>
> acl permitt_ips src 10.143.10.247/32 <br>
> acl FTP proto FTP <br>
> acl PUT method PUT <br>
> <br>
> # whitelisten <br>
> http_access allow open-sites all <br>
> http_access allow localhost <br>
> http_access allow permitt_ips !denied-sites !social-sites <br>
> http_access allow indien DAY <br>
> http_access deny indien <br>
> #http_access deny !chkglwebhttp <br>
> http_access allow selling-sites sellingUser <br>
> http_access allow social-sites socialUser </font></tt>
<br><tt><font size=2>> <br>
> Actually, and i dont know if this a bug or a desired
behavior, <br>
> denying a group seems to always (at least to me) brings the <br>
> authentication popup. To avoid that and make things really work as
<br>
> expected, i usually add an 'all' to the denying clause. As the 'all'<br>
> rule will match anything, it wont change the denying or not of your
<br>
> rule. And it will make things work. Actually this hint was found on
<br>
> the mailing list archives.<br>
> <br>
> So, instead of<br>
> <br>
> http_access deny !chkglwebhttp<br>
> <br>
> try using<br>
> <br>
> http_access deny !chkglwebhttp all<br>
> <br>
> if your 'indien' acl, which is also used on a deny
rule, is also<br>
> a group rule (that cannot be confirmed on the conf you posted), just<br>
> add the all as well. In summary, always add an 'all' to an <br>
> http_access rule which envolves denying by any king of group checking.<br>
> <br>
> <br>
> <br>
> <br>
</font></tt>
<br><tt><font size=2>> -- <br>
> <br>
> <br>
> Atenciosamente / Sincerily,<br>
> Leonardo Rodrigues<br>
> Solutti Tecnologia<br>
> </font></tt><a href=http://www.solutti.com.br/><tt><font size=2>http://www.solutti.com.br</font></tt></a><tt><font size=2><br>
> <br>
> Minha armadilha de SPAM, NÃO mandem email<br>
> gertrudes@solutti.com.br<br>
> My SPAMTRAP, do not email it<br>
> <br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> squid-users@lists.squid-cache.org<br>
> </font></tt><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><font size=2>http://lists.squid-cache.org/listinfo/squid-users</font></tt></a><tt><font size=2><br>
</font></tt>
<br><tt><font size=2>Hi Leonardo,</font></tt>
<br>
<br><tt><font size=2>thanks for you answer. I've tested it with "http_access
deny !chkglwebhttp all", so no access is allowed. </font></tt>
<br><tt><font size=2>I always get "ext_ldap_group_acl: WARNING: could
not bind to binddn 'Invalid credentials'"</font></tt>
<br>
<br><font size=2 face="sans-serif"><br>
<br>
Mit freundlichen Grüßen / Kind regards<br>
<br>
Mr. Andreas Reschke<br>
andreas.reschke@mahle.com, </font><a href=http://www.mahle.com/><font size=2 color=blue face="sans-serif">http://www.mahle.com</font></a>