Hi Yutaka, Thanks for your prompt response on Question 1. It is exactly what I was looking for. I wish you would had answer the second Question also. You probably just missed it since my email was so long. Here is the question again, can you take a look at it ??? --------------------------------------------------------------------- Question 2 - Ftp proxy --------------------------------------------------------------------- # more ftp.cfg SERVER="ftp" REMITTABLE="ftp" -P2021 # ============ # Section ftp # ============ AUTHORIZER="-none:ftp:ftp.openbsd.org:10.*.*.*" AUTHORIZER="-list{uid1:pwd1,uid2:pwd2}:ftp:ftp.sun.com:10.*.*.*" AUTHORIZER="-list{uid3:pwd3}:ftp:ftp.freebsd.com:10.*.*.*" AUTHORIZER="-list{uid1:pwd1}:ftp:*:10.*.*.*" With this configuration, I could never login to the Delegate FTP proxy with the user id "uid2" or "uid3", the only user id allow is "uid1" with password "pwd1". This seems to be a bug in version 9.8.2-pre47. Also, is there a way to give access to a certain destination without any authentification on the FTP proxy. This is what I was trying to accomplish with the line: AUTHORIZER="-none:ftp:ftp.openbsd.org:10.*.*.*" But I do not see a way to initiate the connection to the FTP Proxy without being prompt for a user and password. ---------------------------------------------------------------------- Thanks in advance, Jean Aumont -----Original Message----- From: Yutaka Sato [mailto:feedback@delegate.org] Sent: Friday, July 25, 2008 4:01 PM To: feedback@delegate.org Cc: Stéphane Anglaret; Jean Aumont Subject: Re: [DeleGate-En] Testing the HTTP/HTTPS and FTP Delegate proxy Hi, In message <_A4015@delegate-en.ML_> on 07/26/08(03:02:35) you "Jean Aumont" <pvahqbdyi-5bnwhwhscmlr.ml@ml.delegate.org> wrote: |--------------------------------------------------------------------- |Question 1 - Http(s) proxy |--------------------------------------------------------------------- |# more http.cfg |SERVER="http" |REMITTABLE="http,https" |-P8080 |# ============ |# Section http |# ============ |AUTHORIZER="-none:http:www.sea-doo.com*:10.*.*.*" |AUTHORIZER="-list{uid1:pwd1,uid2:pwd2}:http:www.google.com:10.*.*.*" |AUTHORIZER="-list{uid1:pwd1,uid3:pwd3}:http:www.yahoo.com:10.*.*.*" |AUTHORIZER="-list{uid1:pwd1}:http:*:10.*.*.*" |# ============= |# Section https |# ============= |AUTHORIZER="-list{uid1:pwd1,uid3:pwd3}:https:www.google.com:10.*.*.*" |AUTHORIZER="-list{uid1:pwd1,uid3:pwd3}:https:www.yahoo.com:10.*.*.*" |AUTHORIZER="-list{uid1:pwd1}:https:*:10.*.*.*" |# =============== |# Deny All Others |# =============== |AUTHORIZER="-never" | |>From my testing using the http(s) config, I discovered that the |delegate proxy evaluates the rules as follow: | |1) look for the service (http or https) |2) then look for an address that match the requested ip or url |3) and if the user is allowed Firstly, DeleGate selects one AUTHORIZER based on the set of destination protocol, the destination server and the client of the current session. Then the AUTHORIZER is applied to authenticate (and authorize) the user. |This is why I am force to repeat that "uid1:pwd1" on the line |that give access to www.google.com and www.yahoo.com even if |the line AUTHORIZER="-list{uid1:pwd1}:http:*:10.*.*.*" |should give acces to everywhere on the www to "uid1" | |Am I right about this ??? In such case, you can use AUTHORIZER just to authenticate users, and authorize them using PERMIT parameters as follows: AUTHORIZER="-none:http:www.sea-*" AUTHORIZER="-list{u1:p1,u2:p2,u3:p3}:http,https:*" PEMRIT="http:www.sea-*:10.*" PERMIT="http,https:*:-a/u1@*" PERMIT="http,https:www.yahoo.com:-a/u2@*" PERMIT="http,https:www.google.com:-a/u3@*" |Thanks for the great effort of developing the "Delegate" proxy. It's "DeleGate" :) Cheers, Yutaka -- 9 9 Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/ ( ~ ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan Do the more with the less -- B. Fuller