[squid-users] %LOGIN place in squid 5.8 acls
Amos Jeffries
squid3 at treenet.co.nz
Tue Apr 25 13:24:10 UTC 2023
On 25/04/2023 12:14 am, David Touzeau wrote:
> Thanks Amos for the mistake, yes my explains was wrong.
> Your are right, the first object !allowed_domains matches, so squid
> usually compute the second object. This an expected behavior.
>
> According your suggest my problem was the first rule "http_access
> allow noauth_sites" in first place.
> yes, it will allow requests but, requests will be allowed for all
> other rules too.
> It make sense, why compute all others rules if the first one is allowed ?
>
> if a add office365.com in noauth_sites object but i did not want
> office365.com for limited_users, the noauth_sites in first place will
> disable all "deny" rules.
>
> I'm wrong ?
I assume the ACL name "noauth_..." means the domains listed there are to
be accepted without checking the authentication.
In that case you **cannot** check (aka require) authentication before
allowing them.
To have any authentication-based special handing on a domain requires
that authentication happens.
So you have the choice for any given domain, whether to always-allow
(no-auth for everybody) or to require *everyone* login before deciding
allow/deny.
HTH
Amos
More information about the squid-users
mailing list