Re: [SQU] auth problems

From: Colin Campbell <>
Date: Fri, 9 Mar 2001 09:48:09 +1000 (EST)


On Thu, 8 Mar 2001, Olano, Kenny Kris wrote:

> So would this be correct if i wanted the user proxyUSER to be only
> allowed to go to * and to *
> acl proxyUSER proxy_auth REQUIRED
> acl ebsco dstdomain
> acl colstate dstdomain
> acl BAD dst
> http_access allow proxyUSER
> http_access allow proxyUSER ebsco colstate
> http_access deny proxyUSER BAD

No, squid processes each http_access line in the order given in the config
file. As soon as one matches it is applied. No further rules are checked.
So, with your config "http_access allow proxyUSER" will match everyone
going anywhere as long as they authenticate. No other rules will apply.
If you get rid of that line, then your next line is broken (http_access
allow proxyUSER ebsco colstate). If you read what I sent last time, you'll
see that you are asking squid to

1) make sure the user authenticates, AND
2) the destination is "ebsco", AND
3) the destination is "colstate".

Clearly 2 and 3 can never be true at the same time.

So, think about what you are trying to achieve given that squid processes
lines in the order they appear in the config using the following logic:

http_access allow/deny acl AND acl AND ....


http_access allow/deny acl AND acl AND ...



You should then come up with something like

1) http_access allow proxyUSER ebsco
2) http_access allow proxyUSER colstate
3) http_access deny BAD

This will (I believe :-)

1) require user to authenticate if going to "ebsco"
2) require user to authenticate if going to "colstate"
3) deny all other destinations

Is that what you want?


To unsubscribe, see
Received on Thu Mar 08 2001 - 16:51:28 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:34 MST