[squid-users] Antwort: Re: Order of http_access allow/deny

Andreas.Reschke at mahle.com Andreas.Reschke at mahle.com
Wed Feb 4 12:34:42 UTC 2015


"squid-users" <squid-users-bounces at lists.squid-cache.org> schrieb am 
04.02.2015 13:13:49:

> Von: Leonardo Rodrigues <leolistas at solutti.com.br>
> An: squid-users at lists.squid-cache.org
> Datum: 04.02.2015 13:14
> Betreff: Re: [squid-users] Order of http_access allow/deny
> Gesendet von: "squid-users" <squid-users-bounces at lists.squid-cache.org>
> 
> On 04/02/15 09:19, Andreas.Reschke at mahle.com wrote:
> Hi there, 
> Is there a order of http_access allow/deny? If I activate 
> "http_access deny !chkglwebhttp" nobody can use the proxy, squid 
> allways ask for user and password (user and password is correct) 
> 
> ###### 
> acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http 
> acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling 
> acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social 
> acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All 
> acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put 
> acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User 
> acl auth proxy_auth REQUIRED 
> acl permitt_ips src 10.143.10.247/32 
> acl FTP proto FTP 
> acl PUT method PUT 
> 
> # whitelisten 
> http_access allow open-sites all 
> http_access allow localhost 
> http_access allow permitt_ips !denied-sites !social-sites 
> http_access allow indien DAY 
> http_access deny indien 
> #http_access deny !chkglwebhttp 
> http_access allow selling-sites sellingUser 
> http_access allow social-sites socialUser 
> 
>     Actually, and i dont know if this a bug or a desired behavior, 
> denying a group seems to always (at least to me) brings the 
> authentication popup. To avoid that and make things really work as 
> expected, i usually add an 'all' to the denying clause. As the 'all'
> rule will match anything, it wont change the denying or not of your 
> rule. And it will make things work. Actually this hint was found on 
> the mailing list archives.
> 
>     So, instead of
> 
> http_access deny !chkglwebhttp
> 
>     try using
> 
> http_access deny !chkglwebhttp all
> 
>     if your 'indien' acl, which is also used on a deny rule, is also
> a group rule (that cannot be confirmed on the conf you posted), just
> add the all as well. In summary, always add an 'all' to an 
> http_access rule which envolves denying by any king of group checking.
> 
> 
> 
> 

> -- 
> 
> 
>    Atenciosamente / Sincerily,
>    Leonardo Rodrigues
>    Solutti Tecnologia
>    http://www.solutti.com.br
> 
>    Minha armadilha de SPAM, NÃO mandem email
>    gertrudes at solutti.com.br
>    My SPAMTRAP, do not email it
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Hi Leonardo,

thanks for you answer. I've tested it with "http_access deny !chkglwebhttp 
all", so no access is allowed. 
I always get "ext_ldap_group_acl: WARNING: could not bind to binddn 
'Invalid credentials'"



Mit freundlichen Grüßen / Kind regards

Mr. Andreas Reschke
andreas.reschke at mahle.com, http://www.mahle.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150204/6e21649c/attachment.html>


More information about the squid-users mailing list