RE: [squid-users] Trying too use user_cert acl with SQUID 2.5 + SSL patch

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 3 Sep 2004 19:41:39 +0200 (CEST)

On Fri, 3 Sep 2004, Fauquet, Xavier wrote:

> Well, I tried the following :
> acl USER-ok CN surname.name
> acl USER-ko CN ko1.ko1
> http_access allow USER-ok
> http_access deny USER-ko
>
> Both user can still browse.
> Anything i forgot ?

The acl statements is not using correct syntax. Should be

acl USER-ok user_cert CN surname.name
acl USER-ko user_cert CN ko1.ko1

but I assume this is just a typo in your message. Please use "squid -k
parse" to verify the syntax of your configuration.

The example above should work in principle, but does not really deny other
users access. All this says is that the user surname.name is allowed and
the user ko1.ko1 is not. Other users (or users who selected not to present
a certificate) is not matched by these two rules.

Make sure there is no other http_access rules before this allowing access,
and that you do not allow access without a certificate.

Please try

http_access allow USER-ok
http_access deny USER-ko
http_access deny all

It may also be worth mentioning that this feature of the SSL update patch
is not very well tested as the customer who ordered this feature backed
out just before delivery but MARA Systems selected to publish these
additions to the SSL support regardless. I do remember it passing at least
the basic tests and also have some memory of someone else actually using
this successfully.

Regards
Henrik
Received on Fri Sep 03 2004 - 11:41:43 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT