RE: [squid-users] Squid ACL

From: Mark Barlow <[email protected]>
Date: Fri, 6 Jul 2007 08:52:43 +0100

-----Original Message-----
From: squid3@treenet.co.nz [mailto:squid3@treenet.co.nz]
Sent: 06 July 2007 00:22
>To: Christian Vallant
>Cc: squid-users@squid-cache.org
>Subject: Re: [squid-users] Squid ACL
>
>> Hello,
>>
>> i need to solve following problem.
>> I have an ldap-server, which i use to authenticate the user.
>> If the user is in the group, he has access to the group A. If the
>> authentications fails, he has access to the group B.
>>
>> Can anyone tell me, how i can solve this problem.
>>
>> I have already have an authentication, but the problem is, that if the
>> user tries to authenticate, but he has no rights, the
>> authentication-window
>> comes again and again. But the user has to be in the group
>> to_domains_without_auth and the other domains should be blocked.
>>
>> So, the relevant code looks like:
>>
>> auth_param basic program /etc/squid/ldapauth.pl
>> acl for_inetusers proxy_auth REQUIRED
>>
>> acl to_domains_without_auth dstdomain
>> "/var/ipcop/proxy/advanced/acls/dst_noauth
>> .acl"
>>
>>
>> Can anyone help me?
>>
>
>Check the order of http_access * lines in your squid.conf.
>They are processed in order, and for_inetusers needs to be preceeded by
>any ACL that allow people through without Auth.
>
>For example:
>
>http_access allow anybody_without_auth
>http_access allow for_inetusers
>http_access deny all
>
>Amos

Remember for rules to work effectively, at least one of them has to be true.
I suspect this is why your authentication window keeps popping up. For
example if someone isn't in the inetusers group, the result of the line
http_access allow for_inetusers will be false and it will move on to the
next line. You need the users to match a deny rule to stop the request
being processed and output a squid error page to the user. The deny all
rule should suffice.

Hope this makes sense.
Received on Mon Jul 09 2007 - 02:08:09 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Aug 01 2007 - 12:00:03 MDT