[squid-users] smb_auth bypassing defined acl rules?

From: Bob Avery-Babel <Bob@dont-contact.us>
Date: Mon, 13 Jan 2003 08:04:04 -0600

Good Morning all!

Last friday I set up squid for the first time. I defined some access rules
and they seemed to work fine. Here is what they look like:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl mynetwork src 192.168.0.0/24
acl workmachine src 207.xxx.xxx.xxx
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow localhost
http_access allow mynetwork
#http_access allow workmachine
# And finally deny all other access to this proxy
http_access deny all

I could deny or allow access to my work machine here at work. If I allowed
it then I could use the cache. If I commented it out, like above, I would
get the cache denied page. Cool.

So last night I put in some authentication lines:

authenticate_program /usr/bin/smb_auth -W PARADISE
acl domainusers proxy_auth REQUIRED
http_access allow domainusers

Now, even with my proxy supposedly denying my work machine I'm getting a
username and password prompt. If I enter in a proper username and password
combo I'm in.

How does this authentication override the rule that says I can't connect
from my work IP?

Any advice would be greatly appreciated.

Thanks,

Bob
Received on Mon Jan 13 2003 - 07:04:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:38 MST