Re: [squid-users] can not access sites due to acl when using ntlm auth

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 20 Aug 2004 09:18:44 +0200 (CEST)

On Thu, 19 Aug 2004, Merton Campbell Crockett wrote:

> Perhaps it would be clearer and simpler to write this as two access rules.
>
> http_access deny !KIOSK.dstdomain
> http_access allow KIOSK

No, this won't work either as this restricts all users to the
KIOSK.dstdomain destinations, not only the KIOSK users.

> At the end of each rule set there is an implicit deny all. This may not
> be entirely accurate. I recall Duane Wessels mentioning somewhere that
> the implied last rule is the inverse of the last explicit rule. Based on
> the above example, the implicit rule would be the following.
>
> http_access deny !KIOSK

It is strongly recommended to always have an explicit "http_access deny
all" at the end.

Relying on the implicit inverse rule when there is no matching rule can be
confusing.

Regards
Henrik
Received on Fri Aug 20 2004 - 01:18:54 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:02 MDT