Re: [SQU] Multi Time ACL

From: Leonardo Rodrigues <>
Date: Mon, 05 Mar 2001 08:26:24 -0300

At 09:00 05/03/01 +1000, you wrote:

>What isn't working? Something more descriptive of the problem would be
>helpful. For example:
>"http_access allow abc morning" works
>"http_access allow xyz morning lunch" doesn't work (as pointed out
>by someone else previously)
>"http_access allow asd lunch" works"

         Correct would be something like:

http_access allow abc morning
http_access allow xyz morning
http_access allow xyz lunch
http_access allow asd lunch
http_access deny all

         ACLs are like interpreted like this ...

http_access RULE statement1 AND statement2 AND statement3
http_access ACTION statement1 AND statement2 AND statement3

         So, the ACL
http_access allow xyz morning lunch

         will never work, as pointed by me, because at any given time,
morning AND lunch will ALWAYS be false, because both morning and lunch will
NEVER be true at the same time. As one of them is false, and acl uses AND
logical statement, 0/1 AND 0 will always be 0 ( false ).

         That's because I splitted that http_access line in two. It now read:

http_access allow xyz AND morning
http_access allow xyz lunch

         if request comes from xyz, and we're in one of the allowed time,
one of the rules will match TRUE. The other will obviously match FALSE.
TRUE OR FALSE, will be TRUE, and access will be permited.

         It's also very important the deny all line, after all the
http_access rules. if access isn't denied, it's ALLOWED !! So, specifying a
LOT of http_access allow rules, and forget the deny all after them, is the
same of NOTHING. If access isn't allowed by one of your rules, the default
action ( ALLOW ) will be triggered. So, don't forget the deny all rule
AFTER all the rules.

         And, finally, don't forget rules are read from top to bottom. The
first rule matched will be used. Other rules won't be applied. For example:

         http_access allow xyz morning
         http_access deny xyz
         http_access allow xyz lunch

         If xyz tries to access something in the morning, access will be
granted. But if he tries to access something at lunch time, access will be
denied. It will be denied by the deny xyz rule, that was matched BEFORE the
'xyz lunch' rule.

         Well, I think this is more helpful than 'its not working' ...

         Hope hearing from you soon,
         Leonardo Rodrigues

To unsubscribe, see
Received on Mon Mar 05 2001 - 04:33:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:31 MST