I have spent a few more hours this morning testing this more thoroughly. This time I was making no changes to any of my NT Global Groups I just surfed the web seeing how often I would be correctly blocked from accessing a site. The results were very bad. Maybe 1 in 5 requests were being sent to the redirector by the redirector_access rule. I'm unsure if I am doing anything wrong, or if it is the combination of redirector_access and wb_groups not getting along. All I know is I will be unable to use this in a production environment.
I'd log a bug, but I don't really know what to say or be able to provide any concrete evidence (except for what I have supplied below)... All I can say is this feature may need reviewing sometime in the future. Again here were my ACL's/access rules: acl FilteredUsers external NTGroups "/etc/squid/ntgroups-filtered" acl UnfilteredUsers external NTGroups "/etc/squid/ntgroups-unfiltered" acl BlockedUsers external NTGroups "/etc/squid/ntgroups-blocked" acl AuthorizedUsers proxy_auth REQUIRED redirector_access allow AuthorizedUsers FilteredUsers http_access deny AuthorizedUsers BlockedUsers http_access allow AuthorizedUsers FilteredUsers http_access allow AuthorizedUsers UnfilteredUsers ==== cache.log - debug 61,9 ==== 2003/06/25 10:31:19| redirectStart: 'http://www.porn.com/' 2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/back.gif' 2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/spacer.gif' 2003/06/25 10:31:20| redirectStart: 'http://www.porn.com/images2/p_top.jpg' 2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/today_top.gif' 2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/baba.gif' 2003/06/25 10:31:21| redirectHandleRead: {http://10.20.10.225/vw/denied.php?client=10.20.10.122&user= domain\jturner&url=http://www.porn.com/images2/baba.gif 10.20.10.122/- domain\jturner GET} 2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/1.gif' 2003/06/25 10:31:21| redirectStart: 'http://www.porn.com/images2/light.gif' 2003/06/25 10:31:21| redirectHandleRead: {http://10.20.10.225/vw/denied.php?client=10.20.10.122&user= domain\jturner&url=http://www.porn.com/images2/light.gif 10.20.10.122/- domain\jturner GET} As you can see only 2 of the 10 requests were sent to the redirector. When they did go, they were correctly blocked. Thanks for your time Jay -----Original Message----- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Tuesday, 24 June 2003 4:49 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [squid-users] redirector_access usage On Tuesday 24 June 2003 04.17, Jay Turner wrote: > i.e. I add a 'Staff' member to 'block' and they lose access > (correct), then I remove them from 'block' to re-instate access and > then I find that the Staff member now gets passed through to the > redirector rather than bypassing it. This should be dependent on the ttl setting only, but maybe winbind also have cached group memberships for the user.. Try runnig the wb_group helper interactively to see if it reacts properly to group changes. Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
