Hi Henrik,
Thanks for your info. I just tried moving The http_access order around
a bit with no luck.
I've actually had this working correctly previously, and when a user is
authenticated, the error page is displayed, and the user is not asked
for authentication.
If the user cancels the authentication request, they are displayed a
ERR_CACHE_ACCESS_DENIED error page instead of the ERR_ACCESS_DENIED
error page.
This is important, because the ERR_CACHE_ACCESS_DENIED page has been
modified to provide them with information about authenticating, where
the ERR_ACCESS_DENIED page has been modified to let them know that a
site has been blocked.
The acls I have are listed below. I've included the delay pools entries
just in case.
acl all src 0.0.0.0/0.0.0.0
acl exemptip src 192.168.1.133
acl local src 192.168.1.4
acl racp src 192.168.1.0/255.255.255.0
acl josh src 192.168.0.0/255.255.255.0
acl dialin src 192.168.1.240 192.168.1.241 192.168.1.242 192.168.1.243
192.168.1.244
acl sapted proxy_auth sapted
acl kmoore proxy_auth kmoore
acl mfrankland proxy_auth mfrankland
acl network_admin proxy_auth jdixon psibbald
acl societies proxy_auth ads anzbms ra asid csanz csanz-admin anzsn
hgsa imsanz moga
acl akovach proxy_auth akovach
acl wlockley proxy_auth wlockley
acl cedept proxy_auth achang akovach mfrankland sweir
acl passwd proxy_auth REQUIRED
acl gator dstdomain .gator.com
acl webshots dstdomain .webshots.com
acl passport dstdomain .passport.com
acl hotmail dstdomain .hotmail.com .hotmail.passport.com
.hotmail.msn.com
acl productactivate dstdomain productactivation.one.microsoft.com
acl vet dstdomain .vet.com.au
acl opac src 192.168.1.129 192.168.1.154
acl yahoomail dstdomain .mail.yahoo.com
acl bigbrother dstdomain .bigbrother.com.au .bigbrother.optus.com.au
acl anonymizer dstdomain .anonymizer.com
acl swflash urlpath_regex -i \swflash.cab
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl shockwaveplayer browser Shockwave
acl iebrowser browser MSIE
acl blocked_users proxy_auth "/etc/squid/blocked_users"
deny_info ERR_BROWSER_DENIED iebrowser
deny_info ERR_BLOCKED_USER blocked_users
acl password.nolim proxy_auth "/etc/squid/proxy_auth_group.nolim"
acl password2 proxy_auth "/etc/squid/proxy_auth_group.5k"
acl password3 proxy_auth "/etc/squid/proxy_auth_group.10k"
acl password4 proxy_auth "/etc/squid/proxy_auth_group.15k"
acl password5 proxy_auth "/etc/squid/proxy_auth_group.20k"
acl password6 proxy_auth "/etc/squid/proxy_auth_group.25k"
acl password7 proxy_auth "/etc/squid/proxy_auth_group.30k"
acl password8 proxy_auth "/etc/squid/proxy_auth_group.35k"
http_access allow manager localhost
http_access allow manager exemptip
http_access allow manager local
http_access allow manager network_admin
http_access deny manager
http_access deny all gator
http_access deny all bigbrother
http_access deny all !racp
http_access deny all webshots
http_access allow shockwaveplayer
http_access allow vet opac
http_access allow hotmail opac
http_access allow passport opac
http_access allow hotmail mfrankland
http_access allow hotmail wlockley
http_access allow yahoomail kmoore
http_access allow all network_admin
http_access allow !iebrowser akovach
http_access allow !iebrowser network_admin
http_access allow all societies
http_access allow yahoomail sapted
http_access deny all !iebrowser
http_access deny all hotmail
http_access deny all yahoomail
http_access deny all swflash
http_access deny all anonymizer
http_access allow racp password.nolim
http_access allow racp password8
http_access allow racp password7
http_access allow racp password6
http_access allow racp password5
http_access allow racp password4
http_access allow racp password3
http_access allow racp password2
http_access allow racp passwd
http_access allow josh passwd
http_access allow racp productactivate
http_access deny all !passwd
http_access deny all
delay_initial_bucket_level 100
delay_pools 9
delay_class 1 2
delay_class 2 2
delay_class 3 2
delay_class 4 2
delay_class 5 2
delay_class 6 2
delay_class 7 2
delay_class 8 2
delay_class 9 2
delay_access 1 allow racp password.nolim
delay_access 1 deny all
delay_access 2 allow racp password2
delay_access 2 deny all
delay_access 3 allow racp password3
delay_access 3 deny all
delay_access 4 allow racp password4
delay_access 4 deny all
delay_access 5 allow racp password5
delay_access 5 deny all
delay_access 6 allow racp password6
delay_access 6 deny all
delay_access 7 allow racp password7
delay_access 7 deny all
delay_access 8 allow racp password8
delay_access 8 deny all
delay_access 9 allow racp passwd
delay_access 9 deny all
delay_parameters 1 -1/-1 -1/-1
delay_parameters 2 -1/-1 5000/5000
delay_parameters 3 -1/-1 10000/10000
delay_parameters 4 -1/-1 15000/15000
delay_parameters 5 -1/-1 20000/20000
delay_parameters 6 -1/-1 25000/25000
delay_parameters 7 -1/-1 30000/30000
delay_parameters 8 -1/-1 35000/35000
delay_parameters 9 -1/-1 40000/40000
>>> Henrik Nordstrom <hno@squid-cache.org> 28/05/2003 2:50:55 pm >>>
On Wednesday 28 May 2003 04.57, Josh Dixon wrote:
> I have a strange situation, where the acls are working as designed,
> and the http_access rules are denying and allowing as requested,
> but instead of displaying an error page to the browser, it prompts
> the user for their username & password.
Yes.
What you are seeing is most likely an intentional feature of Squid. If
a request is denied by an proxy_auth type acl then Squid will request
the user to authenticate with a new username+password.
The browser only shows the returned error page if the user cancels the
authentication request.
Example where this will happen
acl somegroup proxy_auth user1 user2 user3
http_access deny somesites somegroup
If you do not want this to happen then you need to deny the request by
another type of acl. In some cases this can be done as simple as just
writing the acls in another order
http_access deny somegroup somesites
in other you may need to use a dummy "all" type acl (if you need to
combine this with detailed deny_info, then create multiple such acls,
one per deny_info message)
http_access deny somesites somegroup all
Regards
Henrik
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, info@marasystems.comReceived on Tue May 27 2003 - 23:17:17 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:06 MST