RE: [squid-users] redirector_access usage

I have spent a few more hours this morning testing this more thoroughly.

This time I was making no changes to any of my NT Global Groups I just
surfed the web seeing how often I would be correctly blocked from accessing
a site. The results were very bad.
Maybe 1 in 5 requests were being sent to the redirector by the
redirector_access rule. I'm unsure if I am doing anything wrong, or if it is
the combination of redirector_access and wb_groups not getting along.
All I know is I will be unable to use this in a production environment.

I'd log a bug, but I don't really know what to say or be able to provide any
concrete evidence (except for what I have supplied below)... All I can say
is this feature may need reviewing sometime in the future.

Again here were my ACL's/access rules:

acl FilteredUsers external NTGroups "/etc/squid/ntgroups-filtered"
acl UnfilteredUsers external NTGroups "/etc/squid/ntgroups-unfiltered"
acl BlockedUsers external NTGroups "/etc/squid/ntgroups-blocked"
acl AuthorizedUsers proxy_auth REQUIRED

redirector_access allow AuthorizedUsers FilteredUsers

http_access deny AuthorizedUsers BlockedUsers
http_access allow AuthorizedUsers FilteredUsers
http_access allow AuthorizedUsers UnfilteredUsers

====
cache.log - debug 61,9
====
2003/06/25 10:31:19| redirectStart: 'http://www.porn.com/'
2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/back.gif'
2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/spacer.gif'
2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/p_top.jpg'
2003/06/25 10:31:21| redirectStart:
'http://www.porn.com/images2/today_top.gif'
2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/baba.gif'
2003/06/25 10:31:21| redirectHandleRead:
{http://10.20.10.225/vw/denied.php?client=10.20.10.122&user=
domain\jturner&url=http://www.porn.com/images2/baba.gif 10.20.10.122/-
domain\jturner GET}
2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/1.gif'
2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/light.gif'
2003/06/25 10:31:21| redirectHandleRead:
{http://10.20.10.225/vw/denied.php?client=10.20.10.122&user=
domain\jturner&url=http://www.porn.com/images2/light.gif 10.20.10.122/-
domain\jturner GET}

As you can see only 2 of the 10 requests were sent to the redirector. When
they did go, they were correctly blocked.

Thanks for your time
Jay

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Tuesday, 24 June 2003 4:49 PM
To: jturner@bsis.com.au; squid-users@squid-cache.org
Subject: Re: [squid-users] redirector_access usage

On Tuesday 24 June 2003 04.17, Jay Turner wrote:

> i.e. I add a 'Staff' member to 'block' and they lose access
> (correct), then I remove them from 'block' to re-instate access and
> then I find that the Staff member now gets passed through to the
> redirector rather than bypassing it.

This should be dependent on the ttl setting only, but maybe winbind
also have cached group memberships for the user..

Try runnig the wb_group helper interactively to see if it reacts
properly to group changes.

Regards
Henrik

--
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com