Re: [squid-users] Rules problem

2012/7/10 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 10/07/2012 8:22 p.m., Carlo Filippetto wrote:
>>
>> Hi all,
>> I need to create a rules where some users, logged in with ntlm, must
>> be restrictet only in few sites.
>>
>> I tried something as:
>>
>>
>> acl RESTRICTED_USER proxy_auth "/etc/squid/restricted_user.allow"
>> acl RESTRICTED_WEB dstdomain "/etc/squid/restricted_web.limited"
>>
>> http_reply_access allow RESTRICTED_WEB RESTRICTED_USER
>> http_reply_access deny all RESTRICTED_USER
>
>
> The magic ACL "all" only means something when its on the end (right hand
> side) of the line.
>
> By placing "all" on the end of a line containing authentication ACLs you
> prevent login challenge from being done by *that* line.
>
> Also note that by doing these restructions on *reply* access, it means the
> user/clients details have already been sent to the remote website for
> processing. Only the remote websites reponse is blocked from delivery to the
> client. NTLM could be doing some very strange thinsg with its multiple
> requests.
> There is no reason why these rules cannot be done in http_access where it
> is safer and NTLM cannot have such dangerous side effects. I suggest moving
> them and seeing what improves.
>

I tried to use http_access but in this case on every page I tried to
access out of the restriscted ones I receive an authentication
request, and it isn't a good thing

Now I remove the 'all' from the second "http_reply_access" line and
seems works fine.

Thank's for the explanation on the use of "http_reply_access", but I
don't know another command that block the sites and don't asks for
authentication

>
>
>>
>>
>> It work, but other user seems are affected with continuos
>> authentication request.
>
>
> By "user" what do you mean other already logged in *users*? or non-login
> *clients*?
>
>
> Amos

First of all I authenticate all the users, only a list of these users
can't serf on the web but is limited as above.

Thanks

---
Carlo