Re: [squid-users] external_acl/auth_proxy and deny_info

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 29 Jan 2003 10:16:56 +0100

To deny access, and use deny_info you should be using http_access deny
...

something like this should work I think

http_access allow auth_hosts quota
http_access deny auth_hosts

deny_info ERR_NO_AUTH quota
deny_info ERR_NO_QUOTA auth_hosts

or rearranged to make more sense in deny_info

http_access deny auth_hosts ldap_auth !quota
http_access allow auth_hosts ldap_auth

deny_info ERR_NO_AUTH ldap_auth
deny_info ERR_NO_QUOTA quota

Note: deny_info for "login failed" is a special case. It is the only
case where requests can be denied by a acl element in the middle of any
http_access line. In all other cases only the last acl element on of a
"http_access deny" line can deny access.

Regards
Henrik

"Piccoli, Lucio" wrote:
>
> hi all,
>
> I am trying to differentiate between the authentication and authorisation
> errors. But i can't seem to distinguish between an error generated by the
> external_acl return 'ERR' and the auth_proxy returns 'ERR'. Both errors
> become ERR_NO_AUTH. I would have thought that the authentication failing
> would generate a separate error to the authorisation. Is this possible?
>
> Any help is most appreciated
>
> [snip of config]
>
> external_acl_type quota_acl ttl=900 %LOGIN
> /usr/local/squid/libexec/quota_acl
> auth_param basic program /usr/local/squid/libexec/squid_ldap_auth
>
> acl quota external quota_acl
> acl ldap_auth proxy_auth REQUIRED
>
> http_access deny bannedsites
> http_access deny !quota
> http_access deny !ldap_auth
>
> http_access allow externalnets
> http_access allow no_auth_hosts
> http_access allow auth_hosts quota ldap_auth
>
> # the error page
> deny_info ERR_NO_QUOTA ldap_auth
> deny_info ERR_BANNED bannedsites
> deny_info ERR_NO_AUTH quota
>
> -lp
>
> > http_access works by which acl the request was denied by, not which
> > acl the request was allowed by...
> >
> > I think you want
> >
> > http_access deny !quota
> >
> > Regards
> > Henrik
> >
> >
> > On Tuesday 28 January 2003 03.59, Piccoli, Lucio wrote:
> > > hi all,
> > >
> > > I have having trouble configuring the custom error pages for when
> > > my external_acl program returns 'ERR'. No matter what i set i
> > > always get the standard 'access denied' error page.
> > >
> > > external_acl_type quota_acl ttl=900 %LOGIN
> > > /usr/local/squid/libexec/quota_acl
> > > acl quota external quota_acl
> > > http_access allow quota
> > > # the error page
> > > deny_info ERR_NO_AUTH quota
> > >
> > > Q.What config is required to display my custom page when the
> > > external_acl fails?
> > >
> > > I guess one mechanism is to edit the 'access denied' error page
> > > which i assume is used fo many types of error.
> > >
> > > any ideas?
> > >
> > > -lucio piccoli
> > > -------------------------
> > > QCOM Australia Pty Ltd
> > > ph +61 7 3858 6256
> >
Received on Wed Jan 29 2003 - 02:40:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:55 MST