Re: [squid-users] Tag: deny_info question

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 25 Feb 2004 19:46:47 +0100 (CET)

On Wed, 25 Feb 2004, OTR Comm wrote:

> I have problems understanding deny_info.

I think you have understood deny_info correctly, but maybe not how HTTP
authentication works.

HTTP authentication works by challenging the browser to provide
authentication credentials. This is done by sending a HTTP "Access denied"
message to the client with a HTTP status code indicating authentication is
required and some headers indicating what kind of authentication is
possible.

This causes the browser to pop up the login box or otherwise find the
required credentials to repeat the request with authentication. If the
user cancels the login request then he will be distplayed the error
message given by the server above.

> I have a rule like so:
>
> deny_info http://216.19.43.110/cgi-bin/squidsearch/FD_Handler.cgi
> password
>
> but then none of my users ever receive the authentication prompt and the
> browser acts like it is an endless loop trying to get to
> http://216.19.43.110/cgi-bin/squidsearch/FD_Handler.cgi.

Don't do redirects on authentication acls. This is a bad idea as the
broswer will never receive the authentication challenge as it gets
replaced with the redirect...

You can use custom error messages based on authentication acls with no
problem, just not redirects.

> How can I redirect the Forwarding Denied error to FD_Handler.cgi, and
> still allow all my users to authenticate? I am confused.

You need to use another ACL for this purpose.

deny_info uses the last acl on the http_access line denying access, so by
defining "dummy" acls which always matches you can have detailed control
per http_access line which deny_info message is used.

Regards
Henrik
Received on Wed Feb 25 2004 - 11:47:00 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST