[squid-users] Order of http_access allow/deny
Leonardo Rodrigues
leolistas at solutti.com.br
Wed Feb 4 12:13:49 UTC 2015
On 04/02/15 09:19, Andreas.Reschke at mahle.com wrote:
> Hi there,
> Is there a order of http_access allow/deny? If I activate "http_access
> deny !chkglwebhttp" nobody can use the proxy, squid allways ask for
> user and password (user and password is correct)
>
> ######
> acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http
> acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling
> acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social
> acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All
> acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put
> acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User
> acl auth proxy_auth REQUIRED
> acl permitt_ips src 10.143.10.247/32
> acl FTP proto FTP
> acl PUT method PUT
>
> # whitelisten
> http_access allow open-sites all
> http_access allow localhost
> http_access allow permitt_ips !denied-sites !social-sites
> http_access allow indien DAY
> http_access deny indien
> #http_access deny !chkglwebhttp
> http_access allow selling-sites sellingUser
> http_access allow social-sites socialUser
Actually, and i dont know if this a bug or a desired behavior,
denying a group seems to always (at least to me) brings the
authentication popup. To avoid that and make things really work as
expected, i usually add an 'all' to the denying clause. As the 'all'
rule will match anything, it wont change the denying or not of your
rule. And it will make things work. Actually this hint was found on the
mailing list archives.
So, instead of
http_access deny !chkglwebhttp
try using
http_access deny !chkglwebhttp all
if your 'indien' acl, which is also used on a deny rule, is also a
group rule (that cannot be confirmed on the conf you posted), just add
the all as well. In summary, always add an 'all' to an http_access rule
which envolves denying by any king of group checking.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes at solutti.com.br
My SPAMTRAP, do not email it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150204/3472a509/attachment.html>
More information about the squid-users
mailing list