On 19/02/2013 8:19 a.m., David Touzeau wrote:
>
> Dear i need some clarifications about the "AND" operator in
> http_access (or any other tokens using ACLs)
>
> I cannot found where i'm missed...
>
> I need to bann some websites except for some specified users.
>
> i create 2 acls:
>
> acl MyAllowedU proxy_auth david jhon mirna
> acl bannedw dstdomain .msn.com .yahoo.com
>
> basically i can do that:
>
> http_access deny !MyAllowedU bannedw
Basically yes, they are AND together. However...
>
> Is there any change behavior if i do
> http_access deny bannedw !MyAllowedU
They are tested in order and each of those types has different
side-effects from testing.
bannedw has no side-effects beyond DNS lookup on raw-IP requests.
MyAllowedU has the side effect of triggering authentication re-challenge
if it is last on the line and fails to match a user (missing, wrong
password, other user).
In your initial setup it only triggers authentication challenge if
credentials are *missing*.
Other than the auth behaviour the second setup is a faster ACL testing
sequence on all traffic which fails to match bannedw.
If you need to change the order for performance place the " all" at the
right-hand end of the line to prevent the change of auth behaviour.
Amos
Received on Tue Feb 19 2013 - 00:19:22 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 19 2013 - 12:00:04 MST