Re: [squid-users] Rules problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 Jul 2012 20:42:31 +1200

On 10/07/2012 8:22 p.m., Carlo Filippetto wrote:
> Hi all,
> I need to create a rules where some users, logged in with ntlm, must
> be restrictet only in few sites.
>
> I tried something as:
>
>
> acl RESTRICTED_USER proxy_auth "/etc/squid/restricted_user.allow"
> acl RESTRICTED_WEB dstdomain "/etc/squid/restricted_web.limited"
>
> http_reply_access allow RESTRICTED_WEB RESTRICTED_USER
> http_reply_access deny all RESTRICTED_USER

The magic ACL "all" only means something when its on the end (right hand
side) of the line.

By placing "all" on the end of a line containing authentication ACLs you
prevent login challenge from being done by *that* line.

Also note that by doing these restructions on *reply* access, it means
the user/clients details have already been sent to the remote website
for processing. Only the remote websites reponse is blocked from
delivery to the client. NTLM could be doing some very strange thinsg
with its multiple requests.
   There is no reason why these rules cannot be done in http_access
where it is safer and NTLM cannot have such dangerous side effects. I
suggest moving them and seeing what improves.

>
>
> It work, but other user seems are affected with continuos
> authentication request.

By "user" what do you mean other already logged in *users*? or non-login
*clients*?

Amos
Received on Tue Jul 10 2012 - 08:42:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 10 2012 - 12:00:02 MDT