Re: [squid-users] http_access and proxy_auth

From: Mark Elsen <[email protected]>
Date: Fri, 3 Nov 2006 08:06:43 +0100

> Hi,
>
> I should know this but reading FAQ and things is just confusing me.
>
> If we have:
>
> acl authenticated proxy_auth REQUIRED
>
> When would any http_access lines even get used if they appear after
> something like:
>
> http-access permit authenticated
>
> I ask because my understanding is that anyone who has authenticated
> would match this line and never go past it. If I'm not stupid and that
> is in fact the case, then is the following, from
> http://workaround.org/moin/HowSquidAclsWork, incorrect?
>
> -----------------------------------------------------------------------
> acl my_auth proxy_auth REQUIRED
> acl google dstdomain .google.com
> http_access allow my_auth
> http_access deny google my_auth
> http_access deny all
>
> In this case if the user requests www.google.com then the second
> http_access line matches and triggers re-authentication. Remember: it's
> always the last ACL on a http_access line that "matches".
> -----------------------------------------------------------------------

No, it's the first ACL on a http_access line that matches,
in your case, the 2 last ones will never be reached.

>
> If the user has authenticated, when would the second or indeed the third
> http_access line ever be reached?
>

  I think the answer is never, I guess, in your case I guess you would need :

         http_access allow my_auth !google

M.
Received on Fri Nov 03 2006 - 00:06:45 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST