Fwd: Re: [squid-users] About proxy_auth alc

From: Alberto Cappadonia <alberto.cappadonia_at_polito.it>
Date: Wed, 23 Jun 2010 11:51:36 +0200

Il 23/06/10 04.49, Amos Jeffries ha scritto:
> On Tue, 22 Jun 2010 16:30:52 +0200, Alberto Cappadonia
> <alberto.cappadonia_at_polito.it> wrote:
>
>> Hi,
>>
>> I've a question about proxy_auth acl.
>>
>> if I've an acl list like the following
>>
>> acl friends proxy_auth mary jane carl
>> acl target dst 10.0.0.1
>>
>> http_access friends allow
>> http_access target deny
>>
> On startup your Squid barfs with "FATAL: Bungled squid.conf"
>
> The syntax is:
> "http_access" ( "allow" | "deny" ) [acl] [acl ...]
>

yes, of course. i made a mistake while writing the e-mail! :)

>
>> What happens when mary contacts 10.0.0.1? always allow?
>>
> Yes. "mary", "jane" and "carl" are allowed unrestricted access to HTTP
> once logged in.
>
>
>> If "http_access friends allow" is evaluated to true, is the second also
>> checked?
>>
> No. *_access lines always evaluate to one of two results:
> true -> stop and do (allow|deny).
> false -> test next rule.
>
>
>> I mean, the proxy_auth acl is considered by squid like the others acl,
>>
> or
>
>> is
>> evaluated only the first time and when the timeout expires?
>>
> ACL are evaluated every test.
>
> All ACL which require remote lookups (ie DNS lookups, proxy_auth, ident
> and external) each have an internal cache of results which gets checked
> first before the slow helper is asked. Some protocols see M/ttl of M
> requests, others see M of M requests.
>

Ok thanks! This this the answer I'd like to receice! Because It was not
clear to me how squid
"mixes" packet header info (src, dst, port, ...., acls) and acls
requiring remote lookups

>
>> Is there some doc explaining the state-chart of the entire
>> authentication scheme?
>>
> No. Each authentication protocol (auth_param X) differs.
>
> Note that *authentication* is very different to the *authorization* scheme
> you are asking about.
> Access Controls authorizes some particular request to happen or not to
> happen. Sometimes, as in your config an user is required to be
> authenticated before they can be authorized access. Usually they can be
> denied without authentication (ie external machines).
>
> The state diagram of your access controls is called squid.conf.
> * Starting at the top each line is evaluated top-down left-to-right.
> * First word is the point of transfer affected by the control
> (http_access -> each HTTP request).
> * Second word is the policy to enforce (allow/deny).
> * Third and following is a list of stats to be tested.
> * if an ACL is true, the next on the line gets tested, end of line the
> policy applied.
> * if an ACL is false, the next line gets checked.
>
> http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes
>

Thanks for the answer!

Regards
Alberto

Received on Wed Jun 23 2010 - 09:51:45 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 23 2010 - 12:00:04 MDT