[squid-users] Antwort: Re: Order of http_access allow/deny
Yuri Voinov
yvoinov at gmail.com
Wed Feb 4 12:41:17 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As you can see (and warning your get shown it) the problem is not in ACL's.
But in auth helper or near it:
ext_ldap_group_acl: WARNING: could not bind to binddn 'Invalid credentials
04.02.2015 18:34, Andreas.Reschke at mahle.com пишет:
> "squid-users" <squid-users-bounces at lists.squid-cache.org> schrieb am 04.02.2015 13:13:49:
>
> > Von: Leonardo Rodrigues <leolistas at solutti.com.br>
> > An: squid-users at lists.squid-cache.org
> > Datum: 04.02.2015 13:14
> > Betreff: Re: [squid-users] Order of http_access allow/deny
> > Gesendet von: "squid-users" <squid-users-bounces at lists.squid-cache.org>
> >
> > On 04/02/15 09:19, Andreas.Reschke at mahle.com wrote:
> > Hi there,
> > Is there a order of http_access allow/deny? If I activate
> > "http_access deny !chkglwebhttp" nobody can use the proxy, squid
> > allways ask for user and password (user and password is correct)
> >
> > ######
> > acl chkglwebhttp external LDAPLookup GGPY-LO-Web-Http
> > acl sellingUser external LDAPLookup GGPY-LO-Web-Allowed-Selling
> > acl socialUser external LDAPLookup GGPY-LO-Web-Allowed-Social
> > acl allforbUser external LDAPLookup GGPY-LO-Web-Allowed-All
> > acl ftpputUser external LDAPLookup GGPY-LO-Web-Ftp-Put
> > acl loggingUser external LDAPLookup GGPY-LO-Web-Log-User
> > acl auth proxy_auth REQUIRED
> > acl permitt_ips src 10.143.10.247/32
> > acl FTP proto FTP
> > acl PUT method PUT
> >
> > # whitelisten
> > http_access allow open-sites all
> > http_access allow localhost
> > http_access allow permitt_ips !denied-sites !social-sites
> > http_access allow indien DAY
> > http_access deny indien
> > #http_access deny !chkglwebhttp
> > http_access allow selling-sites sellingUser
> > http_access allow social-sites socialUser
> >
> > Actually, and i dont know if this a bug or a desired behavior,
> > denying a group seems to always (at least to me) brings the
> > authentication popup. To avoid that and make things really work as
> > expected, i usually add an 'all' to the denying clause. As the 'all'
> > rule will match anything, it wont change the denying or not of your
> > rule. And it will make things work. Actually this hint was found on
> > the mailing list archives.
> >
> > So, instead of
> >
> > http_access deny !chkglwebhttp
> >
> > try using
> >
> > http_access deny !chkglwebhttp all
> >
> > if your 'indien' acl, which is also used on a deny rule, is also
> > a group rule (that cannot be confirmed on the conf you posted), just
> > add the all as well. In summary, always add an 'all' to an
> > http_access rule which envolves denying by any king of group checking.
> >
> >
> >
> >
>
> > --
> >
> >
> > Atenciosamente / Sincerily,
> > Leonardo Rodrigues
> > Solutti Tecnologia
> > http://www.solutti.com.br <http://www.solutti.com.br/>
> >
> > Minha armadilha de SPAM, NÃO mandem email
> > gertrudes at solutti.com.br
> > My SPAMTRAP, do not email it
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> Hi Leonardo,
>
> thanks for you answer. I've tested it with "http_access deny
!chkglwebhttp all", so no access is allowed.
> I always get "ext_ldap_group_acl: WARNING: could not bind to binddn
'Invalid credentials'"
>
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Mr. Andreas Reschke
> andreas.reschke at mahle.com, http://www.mahle.com <http://www.mahle.com/>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJU0hNtAAoJENNXIZxhPexG3VUIAMV7PVirelNNZ3WaqU4Hy8EW
rwLkqMRu4tpMxWbqL3I6UaC9kjDVQUTso6zDTs99k+811JYnM36kbpE6ExzQXibg
/2AMsm9I9wTtqxEIn7JIIrvu/7fsy1AIAW/UfsFavjIhnGfYs+/Gwt6eAnnEfb64
MTQ/eyf8cZbZJv41UgBhWatYJsAMxkLN0ge069npmu0boe6ZkfZje5m71oCs0PQf
NqXQ4A10Vlqji5m5//Rlsh8JuaE9lXOSuVS9MTawkttB7J1AKRVj0ehKsnoL7RRn
JCtMQuACiOiHEaYYyvbaDV5JAXpjbCDU1lD44bDx8zp1cwBNnKwY6vF+B3JEaQc=
=Zx1q
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150204/c3428fb0/attachment-0001.html>
More information about the squid-users
mailing list