Hello,
Am I going crazy here? While working on the bump-ssl-server-first
project, we noticed that authentication does not seem to work right.
Squid debugging shows that a denied user is authenticated but Squid
allows access anyway. The attached patch is what I came up with. Please
review as I am not an ACL expert, and it seems strange to me that such a
big bug would remain unnoticed for so long!
Technical/commit details from the patch preamble:
When AuthenticateAcl() and aclMatchExternal() were converted to use
extended authentication ACL states (r11644 and r11645 dated 2011-08-14),
the result of those function calls was set as the current checklist
answer. This was incorrect because those functions do not make
allow/deny decisions. They only tell us whether the ACL part of the
allow/deny rule matches. If there is a match, the
ACCESS_ALLOWED/ACCESS_DENIED answer depends on whether it is an allow or
deny rule.
For example, "http_access deny BadGuys" should deny access when the
BadGuys ACL matches, but it was allowing access instead.
Thank you,
Alex.
This archive was generated by hypermail 2.2.0 : Mon Mar 12 2012 - 12:00:10 MDT