Re: [squid-users] http_reply_access processing from Eugene on 2007-04-16 (squid-users)

From: Eugene <gonnabefun@dont-contact.us>
Date: Mon, 16 Apr 2007 14:42:33 +0300

Hello Chris,

Friday, April 6, 2007, 11:53:15 PM, you wrote:

CR> Eugene wrote:
>> Hello!
>> I've upgraded my squid from 2.5.14 to 2.6.12 and get into trouble with
>> http_reply_access rules processing.
>>
>> In our configuration, client's programs without proxy authentication
>> support is allowed to get access to internet by ip using src type acls.
>>
>> If client matched by 'src' first and if first http_reply_access' rule acl type is 'proxy_auth' , then
>> squid requests auth header (gets none), stops processing next
>> http_reply_access rules and generates X-Squid-Error: ERR_ACCESS_DENIED 0
>>
>>

>>
CR> # Allow domain computers to perform updates w/o proxy authentication
CR> http_access allow domain_comp files
CR> # Allow logged in users to access anything
CR> http_access allow domain_user
CR> # Deny non-logged in users anything not explicitly allowed
CR> http_access deny media # Send TCP_RESET
CR> http_access deny files # Send TCP_RESET
CR> http_access deny all

CR> Toss the rest.

CR> # Allow domain computers replies of octet-stream
CR> http_reply_access allow domain_comp mime_files
CR> # Allow logged in users anything
CR> http_reply_access allow domain_user
CR> # Deny non-logged in users anything not explicitly allowed
CR> http_reply_access deny mime_files # Send TCP_RESET
CR> http_reply_access deny mime_media # Send TCP_RESET
CR> http_reply_access deny all

CR> Toss the rest.

I've tested this configuration, does not work for me. It gives same
result.

But if i explicitly allow http_reply_access for domain_comp before any ntlm-based acl
it works fine.

Real world example, domain_user on domain_comp opens google.com,
and gets access is denied.

http_reply_access allow domain_comp mime_files
http_reply_access allow domain_comp #<< Here is explicit allow
http_reply_access allow domain_user # if previous line is commented, deny happens here, but it should not!
http_reply_access deny mime_files
http_reply_access deny mime_media
http_reply_access allow all #this rule should allow access for domain_comp

Thanks.

-- 
Best regards,
 Eugene                            mailto:gonnabefun@gmail.com

Received on Mon Apr 16 2007 - 08:27:45 MDT

This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT