[squid-users] Rules problem
Hi all, I need to create a rules where some users, logged in with ntlm, must be restrictet only in few sites. I tried something as: acl RESTRICTED_USER proxy_auth /etc/squid/restricted_user.allow acl RESTRICTED_WEB dstdomain /etc/squid/restricted_web.limited http_reply_access allow RESTRICTED_WEB RESTRICTED_USER http_reply_access deny all RESTRICTED_USER It work, but other user seems are affected with continuos authentication request. Any suggestion? Thanks --- Carlo
Re: [squid-users] Rules problem
On 10/07/2012 8:22 p.m., Carlo Filippetto wrote: Hi all, I need to create a rules where some users, logged in with ntlm, must be restrictet only in few sites. I tried something as: acl RESTRICTED_USER proxy_auth /etc/squid/restricted_user.allow acl RESTRICTED_WEB dstdomain /etc/squid/restricted_web.limited http_reply_access allow RESTRICTED_WEB RESTRICTED_USER http_reply_access deny all RESTRICTED_USER The magic ACL all only means something when its on the end (right hand side) of the line. By placing all on the end of a line containing authentication ACLs you prevent login challenge from being done by *that* line. Also note that by doing these restructions on *reply* access, it means the user/clients details have already been sent to the remote website for processing. Only the remote websites reponse is blocked from delivery to the client. NTLM could be doing some very strange thinsg with its multiple requests. There is no reason why these rules cannot be done in http_access where it is safer and NTLM cannot have such dangerous side effects. I suggest moving them and seeing what improves. It work, but other user seems are affected with continuos authentication request. By user what do you mean other already logged in *users*? or non-login *clients*? Amos
Re: [squid-users] Rules problem
2012/7/10 Amos Jeffries squ...@treenet.co.nz: On 10/07/2012 8:22 p.m., Carlo Filippetto wrote: Hi all, I need to create a rules where some users, logged in with ntlm, must be restrictet only in few sites. I tried something as: acl RESTRICTED_USER proxy_auth /etc/squid/restricted_user.allow acl RESTRICTED_WEB dstdomain /etc/squid/restricted_web.limited http_reply_access allow RESTRICTED_WEB RESTRICTED_USER http_reply_access deny all RESTRICTED_USER The magic ACL all only means something when its on the end (right hand side) of the line. By placing all on the end of a line containing authentication ACLs you prevent login challenge from being done by *that* line. Also note that by doing these restructions on *reply* access, it means the user/clients details have already been sent to the remote website for processing. Only the remote websites reponse is blocked from delivery to the client. NTLM could be doing some very strange thinsg with its multiple requests. There is no reason why these rules cannot be done in http_access where it is safer and NTLM cannot have such dangerous side effects. I suggest moving them and seeing what improves. I tried to use http_access but in this case on every page I tried to access out of the restriscted ones I receive an authentication request, and it isn't a good thing Now I remove the 'all' from the second http_reply_access line and seems works fine. Thank's for the explanation on the use of http_reply_access, but I don't know another command that block the sites and don't asks for authentication It work, but other user seems are affected with continuos authentication request. By user what do you mean other already logged in *users*? or non-login *clients*? Amos First of all I authenticate all the users, only a list of these users can't serf on the web but is limited as above. Thanks --- Carlo
Re: [squid-users] Rules problem
On 10/07/2012 9:37 p.m., Carlo Filippetto wrote: 2012/7/10 Amos Jeffries squ...@treenet.co.nz: On 10/07/2012 8:22 p.m., Carlo Filippetto wrote: Hi all, I need to create a rules where some users, logged in with ntlm, must be restrictet only in few sites. I tried something as: acl RESTRICTED_USER proxy_auth /etc/squid/restricted_user.allow acl RESTRICTED_WEB dstdomain /etc/squid/restricted_web.limited http_reply_access allow RESTRICTED_WEB RESTRICTED_USER http_reply_access deny all RESTRICTED_USER The magic ACL all only means something when its on the end (right hand side) of the line. By placing all on the end of a line containing authentication ACLs you prevent login challenge from being done by *that* line. Also note that by doing these restructions on *reply* access, it means the user/clients details have already been sent to the remote website for processing. Only the remote websites reponse is blocked from delivery to the client. NTLM could be doing some very strange thinsg with its multiple requests. There is no reason why these rules cannot be done in http_access where it is safer and NTLM cannot have such dangerous side effects. I suggest moving them and seeing what improves. I tried to use http_access but in this case on every page I tried to access out of the restriscted ones I receive an authentication request, and it isn't a good thing Client who did not send credentials are asked to do so. Authentication does not work without credentials. Now I remove the 'all' from the second http_reply_access line and seems works fine. Strange. As I said all was not doing anything on that line, just wasting space in the config file. Thank's for the explanation on the use of http_reply_access, but I don't know another command that block the sites and don't asks for authentication Adding all on the right-hand side of both lines, and making them http_access instead of http_reply_access will do that. Just make sure these are under the lines which authenticate all your users. Amos