On Tue, 8 Feb 2005, Oliver Hookins wrote:
> I've never quite understood it... hence my problem. Let me run this by you
> though.
It's an ordered list of rules
http_access allow|deny acl AND acl AND ...
OR
http_access allow|deny acl AND acl AND ...
OR
...
wher AND/OR is in the logic absolute sense, not the english fuzzy one.
> If the request is for one of the allowedsites or from the list of IP
> addresses in SURFING, the AuthGroup will never even be touched so NTLM
> authentication is not activated?
>
> So I should put http_access allow AuthGroup at the very top so that NTLM
> authentication is forced on all requests.
Then you will allow AuthGroup to access anything.
> Then if the request is neither from a user in the authorised LDAP group,
> or from an IP address in SURFING, or to an allowedsite (or from
> localhost) it will be denied?
If you do
http_access allow A
http_access allow B
http_access allow C
then the request will be allowed if it matches either A, B or C.
If you do
http_access allow A B C
then the request will be allowed if it matches all of A B and C.
http_access processing is always done top-down left to right.
> When does Squid decided if it needs to activate the proxy_auth password
> required thing?
As soon as it encounters a acl requiring authentication when processing
the http_access rules.
> During parsing of the configuration file or when a request is
> made?
When the request is made.
Regards
Henrik
Received on Tue Feb 08 2005 - 01:11:12 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST