Krzysztof Szewczyk wrote:
>
> > There has been examples on how to allow some users access to some
> > destinations posted here in the last few days and numerous times before,
> > but here we go again:
> >
> > acl usergroup1 proxy_auth user1 user2 user3 user4
> > acl usergroup2 proxy_auth user5 user6 user7 user8
> >
> > acl dstgroup1 dstdomain host1.example.com host2.example.com
> > host3.example.com
> > acl dstgroup2 dstdomain host4.example.com host5.example.com
> >
> > http_access allow usergroup1 dstgroup1
> > http_access allow usergroup2 dstgroup2
>
> Henrik,
> sorry but this is quite dark -if i create acl like:
>
> acl intranet dst 10.40.0.0/255.255.0.0
> acl friends dst 10.30.0.0/255.255.0.0
> acl foo proxy_auth REQUIRED
>
> http_access allow intranet
> http_access allow foo
> http_access allow friends
>
> then I'm not able to controll access to the host with url, for
> instance, '...host/apps/foo/' if this host has address 10.40.2.2 because
> it belongs to 'intranet' and users have free access to intranet.
> What I want is that users log on to access '...host/apps/foo/'....
>
> I understad the above example like: 'free access to intranet and friends,
> rest must enter password'
Not quite, and it is very different from the configuration example I
gave above. Your example reads
free acess to intranet
free access to anyone who authenticates themselves
the last line will not ever be reached.
Order of your rules is very imporant, and the composition of each
individual rule
http_access allow a
http_access allow b
http_access allow c
is not the same thing as
http_access allow a b c
and
http_access allow a
http_access allow b
is not always the same thing as
http_access allow b
http_access allow a
(for simple acl types such as dstdomain it is, but not if you use
proxy_auth or other acl types with side effects)
Regards
Henrik Nordström
Squid Hacker
Received on Tue Oct 23 2001 - 04:36:26 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:04 MST