Re: Problems with Auth Modules in STABLE4

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 22 Jul 1999 05:54:38 +0200

Dancer wrote:

> You have to do an allow (eg: allow all) after the 'allow passauth'. In
> effect, a proxy_auth ACL is like a checkpoint. All it says is "You must
> have a valid username or password to pass beyond this point".

No. proxy_auth ACLs are as definite as other ACL types.

> In this case, the next point is 'deny all'.

That is fine. However unless the proxy_auth check is limited to certain
users then the deny will never be reached.

> Yes, the semantics of a proxy_auth allow acl are different from regular
> acls.

No, they aren't.

allow is allow
deny is deny
The request will get "delayed" if the username is unknown or wrong
password used.

Only difference is that "delayed" for a proxy_auth ACL is "deny the
request and require authentication from the user", while "delayed" for
other ACL types only is a delay while looking up the needed data (DNS
lookup or whatever). Semantically the behaviour is the same until the
end user cancels the authentication.

The problem in this particular question was that the syntax of
proxy_auth changed in Squid-2.1 to have a list of allowed usernames
instead of authentication TTL. The TTL is moved to a separate directive.
(due to a bug in Squid-2.1 the username restriction did not work until
Squid-2.2)

--
Henrik Nordstrom
Spare time Squid hacker
Received on Wed Jul 21 1999 - 22:58:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:28 MST