[squid-users] redirector_access usage

Hi All,

I'm having some trouble getting the redirector_access directive to work
correctly for me with SquidGuard.
I'm using Squid2.5STABLE2 with Winbind/NTLM Group authentication
(wb_ntlmauth, wb_group), but I have tried on STABLE3 also with no luck.

I have three global groups on my NT domain - staff, students, block
Staff have unfiltered access
Students are filtered through squidguard
Users from both these groups can be added to the block group to disable
their access for whatever reason

The problem I am having is that when I add a user to the block group, it
blocks as planned, but when I subsequently remove them, the
redirector_access isn't working correctly.

i.e. I add a 'Staff' member to 'block' and they lose access (correct), then
I remove them from 'block' to re-instate access and then I find that the
Staff member now gets passed through to the redirector rather than bypassing
it.
From cache.log:
2003/06/24 10:02:41| redirectStart:
'http://www.traxxas.com/products/index.html'
2003/06/24 10:02:41| redirectHandleRead:
{http://10.20.10.225/vw/denied.php?client=10.20.10.122&url=http://www.traxxa
s.com/products/index.html 10.20.10.122/- domain\jturner GET}

But the redirector doesn't even function correctly as this website
(www.traxxas.com) is not in my whitelist. So most of the page loads and only
some elements are blocked. If I restart Squid then the page is fully
blocked, but forcing a refresh on my browser a couple of times will then
half display the page again.
As soon as I take out redirect_access (making everyone go through
redirector) everything works as expected.

I think the issue is probably with my ACL ordering, even though I have tried
numerous combinations.
I have verified that the user's group ACL's are being properly evaluated via
cache.log, so it's not that.

Below are the pertinent lines from squid.conf

#Helper
external_acl_type NTGroups ttl=10 negative_ttl=10 %LOGIN
/usr/lib/squid/wb_group # ttl=10 for rapid testing

#ACLS
acl all src 0.0.0.0/0.0.0.0
acl FilteredUsers external NTGroups "/etc/squid/ntgroups-filtered"
acl UnfilteredUsers external NTGroups "/etc/squid/ntgroups-unfiltered"
acl BlockedUsers external NTGroups "/etc/squid/ntgroups-blocked"
acl AuthorizedUsers proxy_auth REQUIRED

redirector_access allow AuthorizedUsers FilteredUsers
redirector_access deny AuthorizedUsers UnfilteredUsers

http_access deny AuthorizedUsers BlockedUsers
http_access allow AuthorizedUsers FilteredUsers
http_access allow AuthorizedUsers UnfilteredUsers
http_access deny all

Any help would be appreciated.

Thanks

Regards
Jay
Received on Mon Jun 23 2003 - 20:17:02 MDT