paul cooper wrote:
there is something in all this i really am not understanding.Sorry to be
so stupid.
AIUI now, it looks at the ACLs and processes them until it finds one that
matches, and then it stops matching them and allows access. It will only
deny a page when its has processed all the ACLS and NOT found a match.
There are two slightly different things involved here:
ACL and ACCESS
Squid check all ACCESS lines _in the order configured_ .
The first that matches is used, end of story #1.
In order to process any single ACCESS line squid must check the ACL
listed in it. It only matches if all the ACL _on that line_ are matched.
The behaviour you are thinking of applies just to the ACL within a
single ACCESS line.
So to take an example from your config:
http_access allow emma weekends
- will ONLY accept if emma is true AND weekends is true
- will never deny anything
- wont match if emma is false OR weekends is false
http_access allow Safe_ports
- will ONLY accept if (line above it don't match) AND Safe_ports is true
- will never deny anything.
- wont match if Safe_ports is false.
So we end up with three actions from each ACCESS line:
ALLOW
DENY
TRY-NEXT-LINE
> if i have only 1 authenticated user (emma) then the time based ACL
> ('testing') it denies access as it should .
> When i add another user access (http_access allow andrew) the browser
> authentication box comes up , i put in 'emma' and it gives me access.
> Im restarting squid and clearing the browser cache between all these
> attempts.
The deny/accept is happening in places you are not expecting them to occur.
Your ACL are working, ACCESS are not.
hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe'
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl andrew proxy_auth REQUIRED
acl emma proxy_auth REQUIRED
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl testing time MTWHF 07:30-08:00
hepworth emma # grep ^http /etc/squid/squid.conf
http_port 3128
http_access allow emma testing
http_access deny localhost
http_access deny all
hepworth emma #
2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370
2008/03/24 09:52:44| aclMatchAclList: checking all
2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:52:44| aclMatchAclList: checking emma
2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:52:44| aclMatchUser: user is emma, case_insensitive is 0
2008/03/24 09:52:44| Top is (nil), Top->data is Unavailable
2008/03/24 09:52:44| aclMatchUser: user REQUIRED and auth-info present.
... username OK.
2008/03/24 09:52:44| aclMatchAclList: checking testing
2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF
07:30-08:00'
2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e
... NOT within the (testing) time configured.
2008/03/24 09:52:44| aclMatchAclList: no match, returning 0
(http_access allow emma testing) failed to match.
... moving on to try the next one....
2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost'
2008/03/24 09:52:44| aclMatchAclList: checking localhost
2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src
127.0.0.1/255.255.255.255'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
.. you are on localhost. ACL matches.
2008/03/24 09:52:44| aclMatchAclList: returning 1
... do whatever the http_access is supposed to do with it...
2008/03/24 09:52:44| aclCheck: match found, returning 0
... which is a DENY ...
2008/03/24 09:52:44| aclCheckCallback: answer=0
2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/ is DENIED,
because it matched 'localhost'
... send the denial message.
<snip the ACL testing for the reply 5xx/4xx message>
hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe_ports'
<as before>
hepworth emma # cat /etc/squid/squid.conf |grep ^http
http_port 3128
http_access allow emma testing
http_access allow andrew
http_access deny localhost
http_access deny all
hepworth emma #
Translated from config to English:
(emma when logged in) only on (weekends) CAN get through.
(andrew) CAN get through at any time.
(others) using (machine localhost) NOT allowed
(others) NOT allowed
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:56:04| aclMatchAclList: checking emma
2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:56:04| aclMatchUser: user is emma, case_insensitive is 0
2008/03/24 09:56:04| Top is (nil), Top->data is Unavailable
2008/03/24 09:56:04| aclMatchUser: user REQUIRED and auth-info present.
2008/03/24 09:56:04| aclMatchAclList: checking testing
2008/03/24 09:56:04| aclMatchAcl: checking 'acl testing time MTWHF
07:30-08:00'
2008/03/24 09:56:04| aclMatchTime: checking 596 in 450-480, weekbits=3e
2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
2008/03/24 09:56:04| aclCheck: checking 'http_access allow andrew'
2008/03/24 09:56:04| aclMatchAclList: checking andrew
2008/03/24 09:56:04| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED'
2008/03/24 09:56:04| aclMatchUser: user is emma, case_insensitive is 0
2008/03/24 09:56:04| Top is (nil), Top->data is Unavailable
2008/03/24 09:56:04| aclMatchUser: user REQUIRED and auth-info present.
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| The request GET http://grolma.no-ip.org/ is ALLOWED,
because it matched 'andrew'
2008/03/24 09:56:04| aclCheck: checking 'cache deny QUERY'
2008/03/24 09:56:04| aclMatchAclList: checking QUERY
2008/03/24 09:56:04| aclMatchAcl: checking 'acl QUERY urlpath_regex
cgi-bin \?'
2008/03/24 09:56:04| aclMatchRegex: checking '/'
2008/03/24 09:56:04| aclMatchRegex: looking for 'cgi-bin'
2008/03/24 09:56:04| aclMatchRegex: looking for '\?'
2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
2008/03/24 09:56:04| aclCheck: NO match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| clientProcessHit: HIT
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab2b0
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_reply_access allow all'
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| The reply for GET http://grolma.no-ip.org/ is
ALLOWED, because it matched 'all'
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:56:04| aclMatchAclList: checking emma
2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:56:04| aclCacheMatchAcl: cache hit on acl '0x82a7cc8'
2008/03/24 09:56:04| aclMatchAclList: checking testing
2008/03/24 09:56:04| aclMatchAcl: checking 'acl testing time MTWHF
07:30-08:00'
2008/03/24 09:56:04| aclMatchTime: checking 596 in 450-480, weekbits=3e
2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
2008/03/24 09:56:04| aclCheck: checking 'http_access allow andrew'
2008/03/24 09:56:04| aclMatchAclList: checking andrew
2008/03/24 09:56:04| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED'
2008/03/24 09:56:04| aclCacheMatchAcl: cache hit on acl '0x82a7d38'
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| The request GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'andrew'
2008/03/24 09:56:04| aclCheck: checking 'cache deny QUERY'
2008/03/24 09:56:04| aclMatchAclList: checking QUERY
2008/03/24 09:56:04| aclMatchAcl: checking 'acl QUERY urlpath_regex
cgi-bin \?'
2008/03/24 09:56:04| aclMatchRegex: checking '/favicon.ico'
2008/03/24 09:56:04| aclMatchRegex: looking for 'cgi-bin'
2008/03/24 09:56:04| aclMatchRegex: looking for '\?'
2008/03/24 09:56:04| aclMatchAclList: no match, returning 0
2008/03/24 09:56:04| aclCheck: NO match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab2b0
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_reply_access allow all'
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: match found, returning 1
2008/03/24 09:56:04| aclCheckCallback: answer=1
2008/03/24 09:56:04| The reply for GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'all'
hepworth emma #
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
