[squid-users] Cannot get ACL to work
Jason Leshchyshyn
alphabet at shaw.ca
Wed Sep 14 05:43:44 UTC 2016
Ugh, I am trying to get Squid to deny access to a particular AD group, but when I enable the rule, then it denys everyone.
This is what I have in squid.conf
# NTLM
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm keep_alive on
# Limit access for Factory users
external_acl_type nt_group %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl FactoryDeny external nt_group sec_deny_internet
http_access deny FactoryDeny
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
-=-
I have verified the ext_wbinfo_group_acl works:
<blockquote>
[root at fac-proxy squid]# ./ext_wbinfo_group_acl -d
Debugging mode ON.
user sec_vpn_users
Got user sec_vpn_users from squid
User: -user-
Group: -sec_vpn_users-
SID: -S-1-5-21-1978138449-291607360-3720246513-19354-
GID: -1677721-
Sending OK to squid
OK
user sec_deny_internet
Got user sec_deny_internet from squid
User: -user-
Group: -sec_deny_internet-
SID: -S-1-5-21-1978138449-291607360-3720246513-18148-
GID: -1677721-
Sending ERR to squid
ERR
</blockquote>
Because this is a production server there's a bunch of traffic on it so I can't catch too much of the log, but this is what I can see with debugging turned on:
<blockquote>
2016/09/13 23:22:32.552 kid1| Acl.cc(336) matches: ACLList::matches: checking FactoryDeny
2016/09/13 23:22:32.552 kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'FactoryDeny'
2016/09/13 23:22:32.552 kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'FactoryDeny' is -1
2016/09/13 23:22:32.552 kid1| Acl.cc(343) matches: FactoryDeny failed.
2016/09/13 23:22:32.552 kid1| Acl.cc(354) matches: FactoryDeny result is false
</blockquote>
If the result is false then the deny should be false and it should continue to the next rule, right?
Please help, I don't get it...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160913/d08bf45f/attachment-0001.html>
More information about the squid-users
mailing list