Re: [squid-users] ACL ordering problem

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 07 May 2008 23:35:27 +1200

Rolf Loudon wrote:
> hello
>
> I cannot seem to get an ACL sequence to work as I expect it to (using
> 2.6stable9).
>
> I have right at the start of the config:
>
> acl authenticated_user proxy_auth REQUIRED
> then
> acl no_auth_unrestricted dstdomain
> "/usr/local/squid/no_authentication_required"
> http_access allow no_auth_unrestricted
>
> the file referenced contains a simple list of domain names.
>
> Further down I have a reference to an Active Directory Group membership
> test:
>
> acl ge_users external ADdomainGroup cn=GEUsers,cn=users,dc=example,dc=com
> acl ge_sites "/usr/local/squid/ge_sites"
> http_access allow ge_users ge_sites authenticated_user
>
> The external acl ADdomainGroup is defined as:
>
> external_acl_type ADdomainGroup ttl=900 %LOGIN
> /usr/lib/squid/squid_ldap_group -b "<searchbase>" -f (&(cn=%u)(memberOf=%g)
> ) -H "ldap://ldaphost1/ ldap://;ldaphost2/" -S -D <bindUsername>
> -w"password"
>
> The checking of group membership against AD has worked perfectly for
> years and has never been an issue.
>
> If I try to go to a site in the "no authentication required" list at the
> top I simply get a 403 in the logs and the "access control prevents
> access" etc message. Why does it not simply allow the request?

It should be by those details above.
What exact URI is failing and what entry is supposed to match it in the
file no_authentication_required?

> If I then go to a site that requires authentication, not necessarily the
> "ge_sites", but any other allow that has authenticated_user as part of
> the conditions, then the 407 is sent, I enter the credentials and get to
> the site. Then returning to try a site as above that does not require
> auth, the site loads ok and the logs show the browser has sent the
> credentials.

Hmm, something elsewhere down a bit that you are not expecting to have
any connection is causing the authorized allow (second time).

>
> If I remove the acl and http_access for ge_users that talks to AD, the
> sites requiring no authentication load as expected without need to send
> credentials.

Same thing as when authorized is allowing them. Still no sign of
no_authentication_required actually working.

>
> How do I arrange the ACLs so that sites that require no authentication
> get allowed?

I think you got the order right, just not the ACL content you need.

The most common mistake with dstdomain is thinking that "dstdomain
example.com" will match domains like www.example.com.
For that you need to start the partial-domain with a dot
  ie. "dstdomain .example.com"

>
> I have tried looking at the output of debug_options ALL,1 33,2 but have
> not been able to find the problem.

debug_options ALL,1 28,6 will show you the access controls in detail.

Amos

-- 
Please use Squid 2.6.STABLE20 or 3.0.STABLE5
Received on Wed May 07 2008 - 11:35:32 MDT

This archive was generated by hypermail 2.2.0 : Tue May 13 2008 - 12:00:03 MDT