On Fri, 3 Sep 2004, Fauquet, Xavier wrote:
Well, I tried the following : acl USER-ok CN surname.name acl USER-ko CN ko1.ko1 http_access allow USER-ok http_access deny USER-ko
Both user can still browse. Anything i forgot ?
The acl statements is not using correct syntax. Should be
acl USER-ok user_cert CN surname.name acl USER-ko user_cert CN ko1.ko1
but I assume this is just a typo in your message. Please use "squid -k parse" to verify the syntax of your configuration.
The example above should work in principle, but does not really deny other users access. All this says is that the user surname.name is allowed and the user ko1.ko1 is not. Other users (or users who selected not to present a certificate) is not matched by these two rules.
Make sure there is no other http_access rules before this allowing access, and that you do not allow access without a certificate.
Please try
http_access allow USER-ok http_access deny USER-ko http_access deny all
It may also be worth mentioning that this feature of the SSL update patch is not very well tested as the customer who ordered this feature backed out just before delivery but MARA Systems selected to publish these additions to the SSL support regardless. I do remember it passing at least the basic tests and also have some memory of someone else actually using this successfully.
Regards Henrik
