RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny

Hi,

I am now having issues with custom error pages,

I have the deny_info line for the accessdeny acl, but it isn't getting used (I assume because the access deny line finished with all). Eg:

deny_info ERR_ACCESS_DENIED_MISUSE accessdenied
http_access deny accessdenied all

I have tried removing the "all", but that puts me back into a re-challenge loop (which is why "all" was included).

I am hoping to have a list of denied messages which give instructions to the user on the steps required to fix the issue, depending on what reason they were denied for. Is there any suggestions someone can offer, or is there relevant variables (eg. The acl which denied them) which can be passed to an external handler? I'd rather do it with static ERR pages, but whatever works!

Regards,
Dion

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, 14 September 2009 12:20 PM
To: Dion Beauglehall
Cc: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Squid/LDAP re-challenges browser on http_access deny

On Mon, 14 Sep 2009 12:12:27 +1000, "Dion Beauglehall"
<beauglehalld_at_vermontsc.vic.edu.au> wrote:
> Hi Amos,
>
> The changes you suggested worked perfectly. Thankyou. What I'm not
quite
> sure of is why. I assume in this context, the "all" at the end of the
line
> is not acting as a user list, but a URL list or something else?

It's an IP-based test doing a very fast catch-all. This changing the type
of ACL last seen at denial so Squid does not equate the deny with unusable
credentials and re-challenge.

Amos

>
> Regards,
> Dion
>
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Thursday, 10 September 2009 11:30 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Squid/LDAP re-challenges browser on
http_access
> deny
>
> On Thu, 10 Sep 2009 10:55:58 +1000, "Dion Beauglehall"
> <BeauglehallD_at_vermontsc.vic.edu.au> wrote:
>> Hi,
>>
>> I’m configuring a squid proxy box with LDAP authentication, and ACLs
> based
>> on LDAP groups. I have the LDAP authentication working, as are groups.
>>
>> However, when I add a user to an “Access Denied” group, squid then
causes
>> the browser to bring up a authentication dialog box. Most squid
installs
> I
>> have seen bring up a squid “Cache Access Denied” screen at this point.
>> This is what I would like it to do.
>>
>> I am unsure if what I am experiencing is expected behaviour, or whether
I
>> have an error in my config file.
>>
>> I am running Squid 2.7STABLE6 on a Windows 2008 server. Relevant lines
>> from squid.conf are below. Note that the LDAP works correctly, and so I
>> have not provided details. What is not acting as I expected is the
>> behaviour of Squid when it hits the “http_access deny accessdenied”
line.
>
>> This seems to be what re-challenges the browser.
>>
>> As we are a school, we need to ensure that both the user is a valid user
>> (from the initial challenge, which collects their machine login,
> invisible
>> to the user), and that they have not been denied for some reason (hence
> the
>> denied group). The re-challenge will lead to students logging into
squid
>> with their friends account. A Cache Access Denied screen is a much
> better
>> alternative.
>
> Yes it was a config issue.
> Re-writing your ACLs slightly to follow that exact logic as described
above
> should solve your problem.
>
>>
>> Note that once I have this working, there will be other “denied” groups
> to
>> deny on, prior to allowing access.
>>
>> Any suggestions or ideas are appreciated.
>>
>> Regards,
>> Dion
>>
>>
>> auth_param basic program c:/squid/libexec/squid_ldap_auth.exe ......
>> auth_param basic children 5
>> auth_param basic realm VSC
>> auth_param basic credentialsttl 5 minutes
>>
>> external_acl_type ldapgroup &LOGIN ......
>>
>> acl ldap-auth proxy_auth REQUIRED
>>
>> acl accessdenied external ldapgroup InternetAccessDeny
>> acl accessallowed external ldapgroup InternetAccess
>>
>> http_access deny accessdenied
>
> Change the above line to:
> http_access deny accessdenied all
>
> ... which will produce the "Access Denied" page instead of a challenge.
>
> Any other denied groups need to go in here one to a line with "all" at
the
> end of each line.
>
>
> After all them add a new line:
> http_access deny !ldap-auth
>
> ... which will cause Squid to challenge if no credentials are given yet.
> People who have given _any_ valid credentials will not be asked twice.
> This action was being done as side-effect of the accessdenied ACL test,
but
> with the new version it needs to be done separately.
>
>
>> http_access allow accessallowed
>> http_access deny all
>
>
> Amos
>
> --- Scanned by M+ Guardian Messaging Firewall ---

--- Scanned by M+ Guardian Messaging Firewall ---
Received on Wed Oct 07 2009 - 03:24:02 MDT