Re: [squid-users] can not access sites due to acl when using ntlm auth

From: Henrik Nordstrom <[email protected]>
Date: Sat, 21 Aug 2004 01:31:54 +0200 (CEST)

On Fri, 20 Aug 2004, Merton Campbell Crockett wrote:

> The assumptions were stated in an ellided paragraph that the proxy was
> restricted to KIOSK users and that they were restricted to destinations
> specified in KIOSK.dstdomain.
>
> If there are other users of the proxy and they are permitted to access any
> destination, the following supports the condition. The last rule is for
> clarity and to show that all conditions have been enumerated.
>
> http_access allow !KIOSK
> http_access deny !KIOSK.dstdomain
> http_access allow KIOSK

In my experience this is more confusing than what you gain.

If your goal is to allow KIOSK access to certain domains then use the
combination

    http_access allow KIOSK KIOSK.dstdomain
    http_access deny KIOSK

If this does not work then at least one of the acls is wrongly defined and
you won't see the desired ressult no matter how you rearrange the
http_access rules.

The first rule in your example (allow !KIOSK) is very dangerous as this
allows everyone else in the whole world access. Such rules should not be
used unless you have been very strict earlier up on what IP addresses may
access the proxy.

As a general rule of thumb only use full negations in http_access deny
rules, such as

    http_access deny !our_networks

or partial negations in combination with something else which makes sense

    http_access allow ournetworks !restricted_sites

    possibly followed by something like

    http_access allow our_networks privileged_users

Negations are very poverful, but should be used carefully.

Regards
Henrik
Received on Fri Aug 20 2004 - 17:32:06 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT