Re: [squid-users] Rules problem

From: Amos Jeffries <>
Date: Wed, 11 Jul 2012 00:13:12 +1200

On 10/07/2012 9:37 p.m., Carlo Filippetto wrote:
> 2012/7/10 Amos Jeffries <>:
>> On 10/07/2012 8:22 p.m., Carlo Filippetto wrote:
>>> Hi all,
>>> I need to create a rules where some users, logged in with ntlm, must
>>> be restrictet only in few sites.
>>> I tried something as:
>>> acl RESTRICTED_USER proxy_auth "/etc/squid/restricted_user.allow"
>>> acl RESTRICTED_WEB dstdomain "/etc/squid/"
>>> http_reply_access allow RESTRICTED_WEB RESTRICTED_USER
>>> http_reply_access deny all RESTRICTED_USER
>> The magic ACL "all" only means something when its on the end (right hand
>> side) of the line.
>> By placing "all" on the end of a line containing authentication ACLs you
>> prevent login challenge from being done by *that* line.
>> Also note that by doing these restructions on *reply* access, it means the
>> user/clients details have already been sent to the remote website for
>> processing. Only the remote websites reponse is blocked from delivery to the
>> client. NTLM could be doing some very strange thinsg with its multiple
>> requests.
>> There is no reason why these rules cannot be done in http_access where it
>> is safer and NTLM cannot have such dangerous side effects. I suggest moving
>> them and seeing what improves.
> I tried to use http_access but in this case on every page I tried to
> access out of the restriscted ones I receive an authentication
> request, and it isn't a good thing

Client who did not send credentials are asked to do so. Authentication
does not work without credentials.

> Now I remove the 'all' from the second "http_reply_access" line and
> seems works fine.

Strange. As I said "all" was not doing anything on that line, just
wasting space in the config file.

> Thank's for the explanation on the use of "http_reply_access", but I
> don't know another command that block the sites and don't asks for
> authentication

Adding "all" on the right-hand side of both lines, and making them
"http_access" instead of "http_reply_access" will do that. Just make
sure these are under the lines which authenticate all your users.

Received on Tue Jul 10 2012 - 12:13:21 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 10 2012 - 12:00:02 MDT