Andrew Hodgson escreveu:
> Hi,
>
> I have a Squid server used on a test network. I want to allow some users to authenticate through the proxy if they are on specific IP addresses, to test software functionality, using basic authentication. However, the rest of the clients should go through without authentication.
>
> I have ACLS such as:
>
> Acl Authenticated_IPs src 10.10.10.50 10.10.10.51 proxy_auth REQUIRED
> Acl Test_Network src 10.10.10.0/24 10.10.30.0/24
> http_access allow Authenticated_IPs
> http_access allow Test_Network
>
> This obviously doesnt work because the proxy_auth REQUIRED bit at the end of the first ACL is not understood by the SRC part. So is there any other way to get a similar configuration working?
>
>
Simply split your ACLs !!!
acl Authentication proxy_auth REQUIRED
acl Authenticated_IPs src 10.10.10.50 10.10.10.51
acl Test_Network src 10.10.10.0/24 10.10.30.0/24
http_access allow Authenticated_IPs Authentication
http_access allow Test_Network
One thing that you should always notice when using networks WITH and
networks WITHOUT authentication ....
in http_access rules with more than one ACL, ACLs are evaluated
linearly, that means, in the order YOU configure them. On the example:
http_access allow Authenticated_IPs Authentication
http_access allow Test_Network
the first http_access rule will first evaluate IP first and then, if
Authenticated_IPs ACL match, it will evaluate Authentication which will
give the username/password window on the browser. If we have done:
http_access allow Authentication Authenticated_IPs
Authentication would be evaluated first and would give the
authentication windows no matter which ip the request is coming, because
the source IP address would be only evaluated after authentication
successfully happen. So, if you have exchanged ACL order, EVERYBODY
would see the authentication windows, including people from Test_Network.
Other way of avoiding this would be having the 'http_access allow
Test_Network' BEFORE the other http_access rule. So, no matter the ACL
order, Test_Network would be allowed before the authentication ACLs are
called.
On larger environments, which mixed authenticated and
non-authenticated rules, sometimes is PRETTY tricky to correctly order
http_access rules and have everything working properly.
-- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@solutti.com.br My SPAMTRAP, do not email it
This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:04 MST