On Tue, 22 Jun 2010 16:30:52 +0200, Alberto Cappadonia
<alberto.cappadonia_at_polito.it> wrote:
> Hi,
>
> I've a question about proxy_auth acl.
>
> if I've an acl list like the following
>
> acl friends proxy_auth mary jane carl
> acl target dst 10.0.0.1
>
> http_access friends allow
> http_access target deny
On startup your Squid barfs with "FATAL: Bungled squid.conf"
The syntax is:
"http_access" ( "allow" | "deny" ) [acl] [acl ...]
>
> What happens when mary contacts 10.0.0.1? always allow?
Yes. "mary", "jane" and "carl" are allowed unrestricted access to HTTP
once logged in.
>
> If "http_access friends allow" is evaluated to true, is the second also
> checked?
No. *_access lines always evaluate to one of two results:
true -> stop and do (allow|deny).
false -> test next rule.
>
> I mean, the proxy_auth acl is considered by squid like the others acl,
or
> is
> evaluated only the first time and when the timeout expires?
ACL are evaluated every test.
All ACL which require remote lookups (ie DNS lookups, proxy_auth, ident
and external) each have an internal cache of results which gets checked
first before the slow helper is asked. Some protocols see M/ttl of M
requests, others see M of M requests.
>
> Is there some doc explaining the state-chart of the entire
> authentication scheme?
No. Each authentication protocol (auth_param X) differs.
Note that *authentication* is very different to the *authorization* scheme
you are asking about.
Access Controls authorizes some particular request to happen or not to
happen. Sometimes, as in your config an user is required to be
authenticated before they can be authorized access. Usually they can be
denied without authentication (ie external machines).
The state diagram of your access controls is called squid.conf.
* Starting at the top each line is evaluated top-down left-to-right.
* First word is the point of transfer affected by the control
(http_access -> each HTTP request).
* Second word is the policy to enforce (allow/deny).
* Third and following is a list of stats to be tested.
* if an ACL is true, the next on the line gets tested, end of line the
policy applied.
* if an ACL is false, the next line gets checked.
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes
Amos
Received on Wed Jun 23 2010 - 06:26:18 MDT
This archive was generated by hypermail 2.2.0 : Wed Jun 23 2010 - 12:00:04 MDT