On Wed, 17 Mar 2010 23:21:44 +0100, Thomas Klein
<mailinglist-postfixbuch_at_online.de> wrote:
> Truth Seeker schrieb:
>>> -
>>>
>>>>> http_access deny !AuthorizedUsers
>>>>>
>>>> ... performs authentication. Which was your problem
>>>>
>>> with
>>>
>>>> Java...
>>>>
>>>> order is important!
>>>>
>>>>
>>> So does it mean, i need to put them as the following;
>>>
>>> ### For JAVA
>>> acl Java browser Java/1.4 Java/1.5 Java/1.6
>>> acl testnet src 192.168.7.0/24
>>> acl testnet src 192.168.8.0/24
>>> http_access allow testnet Java
>>>
>>> http_access deny !AuthorizedUsers
>>>
>>>
>>
>>
>> Yes when i modified as the above, its working fine....
>>
>> Now another doubt. will this solve the issues related to all the java
>> sites?
>>
>>
> Hi there,
>
> i have actually also the problem that java-applications are in no way
> able to get a working connect to the internet, but this workaround with
> the example of http://www.dailyfx.com/ doesn't work for me in any
case....
> My test-user matches the acl "gruppe_vollzugriff" - i'm using
> 2.7.STABLE3-4.1 on Debian Lenny with squidguard 1.4. I also use NTLM
> auth against a AD.
>
> If I do it in this way:
>
> acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser
> acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff
> acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis
> acl gruppe_test external wbinfo_group Proxygruppe-test
> acl Java browser Java/1.4 Java/1.5 Java/1.6
> acl localnet src 172.1.0.0/19
> ...
> http_access allow localnet Java
> http_access allow gruppe_azubis erlaubte_seiten_azubis
> http_access allow gruppe_standarduser
> http_access allow gruppe_test
> http_access allow gruppe_vollzugriff
> http_access deny all
>
> I get in access.log the following:
> 1268863619.997 13 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
> DIRECT/- -
> 1268863620.008 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
> DIRECT/- -
> 1268863620.022 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
> DIRECT/- -
> 1268863620.034 3 172.1.0.128 TCP_MISS/404 0 CONNECT http:443 -
> DIRECT/- -
>
>
> If i modify the order of the http_access line in this way:
>
> acl gruppe_standarduser external wbinfo_group Proxygruppe-Standarduser
> acl gruppe_vollzugriff external wbinfo_group Proxygruppe-Vollzugriff
> acl gruppe_azubis external wbinfo_group Proxygruppe-Azubis
> acl gruppe_test external wbinfo_group Proxygruppe-test
> acl Java browser Java/1.4 Java/1.5 Java/1.6
> acl localnet src 172.1.0.0/19
> ...
> http_access allow gruppe_azubis erlaubte_seiten_azubis
> http_access allow gruppe_standarduser
> http_access allow gruppe_test
> http_access allow gruppe_vollzugriff
> http_access allow localnet Java
> http_access deny all
>
> I get the following output in the log:
> 1268864049.866 8 172.1.0.128 TCP_DENIED/407 1867 CONNECT
> balancer.netdania.com:443 - NONE/- text/html
> 1268864049.900 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
> balancer.netdania.com:443 - NONE/- text/html
> 1268864049.914 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
> balancer.netdania.com:443 - NONE/- text/html
> 1268864049.927 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
> balancer.netdania.com:443 - NONE/- text/html
> 1268864049.940 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
> balancer.netdania.com:443 - NONE/- text/html
> 1268864049.965 15 172.1.0.128 TCP_DENIED/407 1841 CONNECT
> balancer.netdania.com:443 - NONE/- text/html
> 1268864049.979 4 172.1.0.128 TCP_DENIED/407 1867 CONNECT
> balancer.netdania.com:443 - NONE/- text/html
> 1268864049.989 6 172.1.0.128 TCP_DENIED/407 1841 CONNECT
> balancer.netdania.com:443 - NONE/- text/html
>
>
> As I described, java isn't able to get a working connect to the
> internet. What's wrong in my case? I would be glad if you have a hint
> for me....
There is some form of deny line happening outside the set you showed.
Which blocks the first configuration form working. The Java auth problem
blocks the second.
Amos
Received on Wed Mar 17 2010 - 22:41:40 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 19 2010 - 12:00:05 MDT