Re: [squid-users] Can't see usernames in logs after enabling NTLM

From: Henrik Nordstrom <[email protected]>
Date: Tue, 8 Feb 2005 09:11:09 +0100 (CET)

On Tue, 8 Feb 2005, Oliver Hookins wrote:

> I've never quite understood it... hence my problem. Let me run this by you
> though.

It's an ordered list of rules

         http_access allow|deny acl AND acl AND ...
             OR
         http_access allow|deny acl AND acl AND ...
             OR
         ...

wher AND/OR is in the logic absolute sense, not the english fuzzy one.

> If the request is for one of the allowedsites or from the list of IP
> addresses in SURFING, the AuthGroup will never even be touched so NTLM
> authentication is not activated?
>
> So I should put http_access allow AuthGroup at the very top so that NTLM
> authentication is forced on all requests.

Then you will allow AuthGroup to access anything.

> Then if the request is neither from a user in the authorised LDAP group,
> or from an IP address in SURFING, or to an allowedsite (or from
> localhost) it will be denied?

If you do

http_access allow A
http_access allow B
http_access allow C

then the request will be allowed if it matches either A, B or C.

If you do

http_access allow A B C

then the request will be allowed if it matches all of A B and C.

http_access processing is always done top-down left to right.

> When does Squid decided if it needs to activate the proxy_auth password
> required thing?

As soon as it encounters a acl requiring authentication when processing
the http_access rules.

> During parsing of the configuration file or when a request is
> made?

When the request is made.

Regards
Henrik
Received on Tue Feb 08 2005 - 01:11:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST