Re: [squid-users] proxy_auth and http_reply_access

From: Chris Robertson <crobertson_at_gci.net>
Date: Tue, 10 Jun 2008 13:24:20 -0800

Jérôme Loyet wrote:
> Hello guys,
>
> I have a problem configuring squid basic ACL.
>
> Here is what I need:
> - Allow only requests on port 80 (PORT80)
> - Allow to join certain domain (DOMAINS)
> - Allow to get xml files (XML)
> - Authenticated users can get whatever they want on any std ports (AUTH)
>
> The rules should be order as is: AUTH or (PORT80 and (XML or
> DOMAINS)). At the begening the rule AUTH did not exist. My ACL looked
> like this:
>
>
>> acl network src 10.0.0.0/8
>>
>> acl rule_port80 port 80
>>
>> acl rule_domain domain eplf2.intel-lehren.de
>> acl rule_domain domain database.clamav.net
>> acl rule_domain domain gouv.fr
>> acl rule_domain domain cnr.groupe-sigma.com
>>
>> acl rule_rep_header rep_header Content-Type -i ^text/xml
>> acl rule_rep_header rep_header Content-Type -i ^application/xml
>> acl rule_rep_header rep_header Content-Type -i ^application/xhtml+xml
>> acl rule_rep_header rep_header Location -i ^.
>>
>> http_access allow network rule_port80
>> http_access deny network all
>>
>> http_reply_access allow network rule_domain
>> http_reply_access allow network rule_rep_header
>> http_reply_access deny network all
>>
>
> Then I had to add the AUTH rule. here is the lines I added:
>
>
>> auth_param basic program /usr/local/oss/squid/libexec/ncsa_auth \
>> /usr/local/oss/squid/etc/passwd
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>>
>
>
>> acl auth_users proxy_auth REQUIRED
>>
>> # Just before the "http_reply_access deny network all" line
>> http_reply_access allow all auth_users
>>

But the requests (http_access) are not allowed to go out. Replace
"http_access deny network all" with "http_access deny !auth_users
network", and (assuming you have the standard Safe_ports acl to limit
these requests to "standard ports") you should be set.

>
> And guess what ? I doesn't work :(
>
> The proxy_auth conf is fine cause I tested to use the auth_users rule
> in http_access and it works as expected.
>
> Is there a problem when using in conjunction http_replay_access et a
> proxy_auth rule ? Or did I do something wrong in my conf ?
>
> Thanks for your answers
>
> ++ Jerome
>

Chris
Received on Tue Jun 10 2008 - 21:24:36 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 11 2008 - 12:00:05 MDT