Есть сабж 3.2.1 и правила вида:
external_acl_type squid_ldap ttl=300 negative_ttl=300 children-max=100 children-startup=10 children-idle=5 %LOGIN /opt/squid/libexec/ext_ldap_group_acl -b "DC=domain,DC=ru" -s sub -D CN=service_ldap_ro,CN=Users,DC=domain,DC=ru -W /etc/squid/ldap.password -R -H ldap://127.0.0.1 -v 3 -S -K -f "((sAMAccountName=%u)(memberOf=%g))"
acl proxy_email_access external squid_ldap CN=proxy_email_access,CN=Users,DC=domain,DC=ru
...
acl lists_mail_dom dstdomain "/etc/squid/lists/domains_mail.txt"
...
http_access deny lists_mail_dom !proxy_email_access
Аналогичная конструкция на другом сервере на Squid 3.1 выдает как и положено 403.
Это я что-то не так делаю или поведение в версии 3.2 как-то изменилось? Если сделать просто
http_access deny lists_mail_dom
Из логов:
2012/10/08 22:31:19.136 kid1| externalAclLookup: lookup in 'squid_ldap' for 'test CN=proxy_email_access,CN=Users,DC=domain,DC=ru'
2012/10/08 22:31:19.139 kid1| externalAclHandleReply: reply="ERR "
2012/10/08 22:31:19.139 kid1| external_acl_cache_add: Adding 'test CN=proxy_email_access,CN=Users,DC=domain,DC=ru' = 0
2012/10/08 22:31:19.139 kid1| aclMatchExternal: squid_ldap = 0
2012/10/08 22:31:19.139 kid1| The request GET http://mail.yandex.ru/ is 0, because it matched 'proxy_email_access'
2012/10/08 22:31:19.139 kid1| errorpage.cc(1268) BuildContent: No existing error page language negotiated for ERR_CACHE_ACCESS_DENIED. Using default error file.
2012/10/08 22:31:19.139 kid1| The reply for GET http://mail.yandex.ru/ is 1, because it matched 'proxy_email_access'
2012/10/08 22:31:19.139 kid1| HTTP Client local=10.1.0.18:3128 remote=10.1.3.226:58219 FD 10 flags=1
2012/10/08 22:31:19.139 kid1| HTTP Client REPLY:
---------
HTTP/1.1 407 Proxy Authentication Required
