<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#464646" bgcolor="#FFFFFF">
<font face="monospace">Thanks Amos for the mistake, yes my explains
was wrong.<br>
Your are right, the first object !allowed_domains matches, so
squid usually compute the second object. This an expected
behavior.<br>
<br>
According your suggest my problem was </font><font
face="monospace">the first rule "http_access allow noauth_sites"
in first place.<br>
yes, it will allow requests but, requests will be allowed for all
other rules too.<br>
It make sense, why compute all others rules if the first one is
allowed ?<br>
<br>
if a add office365.com in noauth_sites object but i did not want
office365.com for </font><font face="monospace">limited_users,
the </font><font face="monospace"><font face="monospace">noauth_sites
in first place will disable all "deny" rules.<br>
<br>
I'm wrong ?<br>
</font></font><br>
<br>
<div class="moz-cite-prefix">On 24/04/2023 11:22, Amos Jeffries
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:87ae91a9-2a54-285c-cfb7-fb6ae88468ae@treenet.co.nz">On
24/04/2023 11:33 am, David Touzeau wrote:
<br>
<blockquote type="cite">We have a "problem" with ACLs, and I don't
know how to address this situation in Squid 5.8
<br>
Let me explain:
<br>
We have an Active Directory group named limited_users that is
only allowed to surf on a very limited list of websites.
<br>
These users are therefore forbidden to surf on all sites not
listed in allowed_domains
<br>
On the other hand, we have websites in noauth_sites that do not
need to be authenticated by squid but are not allowed to be used
by limited_users group
<br>
<br>
In logic, we would write the following ACLs.
<br>
<br>
external_acl_type ads_group ttl=3600 negative_ttl=1
concurrency=50 children-startup=1 children-idle=1
children-max=20 ipv4 %LOGIN /lib/squid3/groups.pl
<br>
<br>
acls limited_users ads_group limited_users
<br>
</blockquote>
<br>
This acl requires both login to succeed and group to match in
order to return MATCH.
<br>
<br>
<br>
<blockquote type="cite">acls allowed_domains dstdomain
siteallowed.com
<br>
acls allowed_domains dstdomain siteallowed.fr
<br>
acls allowed_domains dstdomain siteallowed.ch
<br>
<br>
acls noauth_sites dstdomain office365.com
<br>
<br>
<br>
http_access deny !allowed_domains limited_users all #ACL1
<br>
http_access allow noauth_sites #ACL2
<br>
<br>
But in this case, accessing to office365.com force Squid to send
the 407 Authentication request in order to calculate the
limited_users in #ACL1, then the second ACL is not effective
because the request is blocked before by the 407.
<br>
</blockquote>
<br>
Sounds correct.
<br>
<br>
<blockquote type="cite">The %LOGIN switch in the external ACL
ads_group activates the identification mode.
<br>
</blockquote>
<br>
Yes.
<br>
<br>
<blockquote type="cite">If we use the %un switch instead , it
works but it becomes the counter, ACL#1 is not processed anymore
since the authentication is not requested because the %un switch
is too smooth.
<br>
</blockquote>
<br>
Yes. The login is not existing, therefore has no group.
<br>
<br>
<br>
<blockquote type="cite">What I don't understand is that SQUID is
trying to calculate the limited_user object when the first
allowed_domain object already returns FALSE.
<br>
</blockquote>
<br>
You configured the "!" (not) operator to invert the match result.
<br>
Returning FALSE becomes a MATCH.
<br>
<br>
<br>
<blockquote type="cite">Whatever the result of the objects that
follow allowed_domain, the rule will always fail.
<br>
</blockquote>
<br>
Not quite. A request that provides credentials associated with the
expected group will pass.
<br>
<br>
<blockquote type="cite">In the case where limited_user is in the
first place, the logic is correct.
<br>
<br>
Two questions:
<br>
<br>
Is there a way for SQUID to not compute all http_access objects
if the first one fails?
<br>
</blockquote>
<br>
No. Because there is more than one HTTP request going on here.
Each request is independent for Squid.
<br>
<br>
<br>
<blockquote type="cite">What would be the best rule that could
meet this goal?
<br>
</blockquote>
<br>
Structure your access lines as such;
<br>
<br>
# things not requiring login are checked first
<br>
http_access allow noauth_sites
<br>
<br>
# then do the login
<br>
http_access deny !login
<br>
<br>
# then check things that need login
<br>
http_access deny limited_users !allowed_sites
<br>
<br>
<br>
HTH
<br>
Amos
<br>
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
David Touzeau - Artica Tech France
Development team, level 3 support
----------------------------------
P: +33 6 58 44 69 46
www: <a class="moz-txt-link-freetext" href="https://wiki.articatech.com">https://wiki.articatech.com</a>
www: <a class="moz-txt-link-freetext" href="http://articatech.net">http://articatech.net</a> </pre>
</body>
</html>