Eugene wrote:
> Hello Chris,
>
> Friday, April 6, 2007, 11:53:15 PM, you wrote:
>
>
> CR> # Allow domain computers to perform updates w/o proxy authentication
> CR> http_access allow domain_comp files
> CR> # Allow logged in users to access anything
> CR> http_access allow domain_user
> CR> # Deny non-logged in users anything not explicitly allowed
> CR> http_access deny media # Send TCP_RESET
> CR> http_access deny files # Send TCP_RESET
> CR> http_access deny all
>
> CR> Toss the rest.
>
>
> CR> # Allow domain computers replies of octet-stream
> CR> http_reply_access allow domain_comp mime_files
> CR> # Allow logged in users anything
> CR> http_reply_access allow domain_user
> CR> # Deny non-logged in users anything not explicitly allowed
> CR> http_reply_access deny mime_files # Send TCP_RESET
> CR> http_reply_access deny mime_media # Send TCP_RESET
> CR> http_reply_access deny all
>
> CR> Toss the rest.
>
> I've tested this configuration, does not work for me. It gives same
> result.
>
> But if i explicitly allow http_reply_access for domain_comp before any ntlm-based acl
> it works fine.
>
> Real world example, domain_user on domain_comp opens google.com,
> and gets access is denied.
>
> http_reply_access allow domain_comp mime_files
> http_reply_access allow domain_comp #<< Here is explicit allow
> http_reply_access allow domain_user # if previous line is commented, deny happens here, but it should not!
>
That leads me to believe that the reply mime type is not
application/octet-stream, or that there is a request for a
non-application in there, throwing a wrench in the whole operation.
> http_reply_access deny mime_files
> http_reply_access deny mime_media
> http_reply_access allow all #this rule should allow access for domain_comp
>
> Thanks.
>
>
Chris
Received on Mon Apr 16 2007 - 12:51:04 MDT
This archive was generated by hypermail pre-2.1.9 : Tue May 01 2007 - 12:00:01 MDT