Thanks guys!
My problem was solved by answer of Amos.
On Tue, Aug 28, 2012 at 7:30 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 28/08/2012 9:18 a.m., Eliezer Croitoru wrote:
>>
>> On 8/27/2012 11:23 PM, Rafael Gomes wrote:
>>>
>>> acl rafael external check_user rafael.gomes
>>> http_access deny rafael
>>
>> you must understand that the check is yes\no match.
>> it will request usename for:
>> http_access deny rafael
>>
>> so if you have wrong username squid will move on to the next acl since the
>> username is not a match to "rafael" acl.
>
>
> Worse than this. You need the username details to supply %LOGIN. Which in
> turn is used to determine what the username details are...
>
> So Squid must already be aware of the username, finished performing
> authentication in order to start calling ths ACL test.
>
> There are two choices:
> 1) If you are already authenticating everyone. Create an "acl rafael
> proxy_auth rafael" test. That ACL will check the credentials and match only
> for that one user. So when you use it make sure its not on the end of the
> line (eg test it with "http_access deny rafael all" to prevent popups)
>
> 2) use a "fake" authentication helper (bundled now with squid 3.2) to accept
> any garbage they send. It will still request credentials from the browser
> though. User "Rafael" could simply send username "annie" and get past this
> type of security block.
>
>
> Amos
-- Rafael Gomes Consultor em TI LPIC-1 MCSO (71) 8318-0284 Aten��o: Este e-mail pode conter anexos no formato ODF (Open Document Format)/ABNT (extens�es odt, ods, odp, odb, odg). Antes de pedir os anexos em outro formato, voc� pode instalar gratuita e livremente o BrOffice (http://www.broffice.org).Received on Wed Aug 29 2012 - 19:42:10 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 30 2012 - 12:00:04 MDT