RE: [squid-users] outright deny from Geoff Varney on 2006-03-28 (squid-users)

From: Geoff Varney <geoff.varney@dont-contact.us>
Date: Tue, 28 Mar 2006 12:10:57 -0800

Chris,
I'm glad I saw this post today as I also would like to just get rid of the
authentication prompt when as user attempts to use the Web when listed in my
denied_users ACL. It works perfectly as you said when adding "all" to the
end of the http_access deny statement.

However, now I'd like to use a custom error page when this occurs. Instead
of the stock "Access Denied" page and its reasons, I made one that tells the
user the reasons why their access may be denied (no AUP signed or
inappropriate use, etc.) This works perfectly when my squid.conf is like
this:

acl denied_users proxy_auth_regex -i '/etc/squid/denied_users'
deny_info ERR_USER_ACCESS_DENIED denied_users
http_access deny denied_users

but if I do this:

acl denied_users proxy_auth_regex -i '/etc/squid/denied_users'
deny_info ERR_USER_ACCESS_DENIED denied_users
http_access deny denied_users all

then the normal ERR_ACCESS_DENIED error page comes up. Is there a way to
make this work (custom error message) while NOT prompting the user for
authorization?

I guess I could modify the ERR_ACCESS_DENIED but I don't want to confuse
things if it comes up for some other reason other than being part of the
denied_users ACL. I suppose I could just ADD to the current error page info
that would help the user understand what's going on...

Thanks,
Geoff

-----Original Message-----
From: Chris Robertson [mailto:crobertson@gci.net]
Sent: Tuesday, March 28, 2006 10:56 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] outright deny

Covington, Chris wrote:

>Hi all,
>
>I've got an NTLM Group deny working:
>
>external_acl_type ntlm_group ttl=0 concurrency=5 %LOGIN
>/usr/lib/squid/wbinfo_group.pl
>acl NTLMNoAccess external ntlm_group Internet_Access_None
>http_access deny NTLMNoAccess
>http_reply_access deny NTLMNoAccess
>
>The issue is that when a user is a member of Internet_Access_None,
>they get prompted to login rather than just seeing the
>ERR_CACHE_ACCESS_DENIED (ERR_ACCESS_DENIED?) page. How can I setup an
>outright deny when a member is in Internet_Access_None?
>
>

If I remember correctly, if Squid denies access due to a proxy_auth ACL,
it will prompt for different credentials. Changing your http_access
line to...

http_access deny NTLMNoAccess all

...should clear this up. I think.

>thanks
>---
>Chris Covington
>IT
>Plus One Health Management
>75 Maiden Lane Suite 801
>NY, NY 10038
>646-312-6269
>http://www.plusoneactive.com
>
>
Chris
Received on Tue Mar 28 2006 - 13:14:30 MST

This archive was generated by hypermail pre-2.1.9 : Sat Apr 01 2006 - 12:00:04 MST