Re: [squid-users] more following quests

From: Joe Cooper <[email protected]>
Date: Thu, 04 Apr 2002 12:00:16 -0600

Aman Raheja wrote:
>>> 2> Also let me know what is the use of acls menntioning safe ports in
>>> the squid.conf ?
>>
>>
>> They are simply the ports that Squid will allow clients to connect to.
>> Nothing complicated about it, really. Squid has ACLs for everything.
>> ;-)
>
>
> When you say these are the ports Squid will allow the clients to connect
> to.
> Why would an HTTP server want to allow connection to FTP port or any
> other well known port, listed in Safe_ports?
> Moreover what would happen if a web-site on the other end is not using
> port 80 or even any of the Safe_ports listed but some random port xxxx?

Two reasons:

1. Squid can gateway from HTTP to other protocols, including FTP, Gopher
and WAIS. This does not make Squid an FTP proxy, but it does mean the
Squid needs to be able to support ACLs limiting access to those ports.

2. HTTP does not have to happen on port 80. HTTP can operate on /any/
port. However, opening Squid up to accept connections for any port can
be a potential security problem. It is possible, for example, to use
Squid to mask the source of email for use in sending spam. By default,
this is disallowed by the ACLs (port 25 is not allowed for the CONNECT
method).

As for your second question (what happens with sites that are not in
Safe_ports)...the answer is the obvious one. If a website is using a
port not in Safe_ports, then Squid will not allow that site to be
visited and would serve an error.

-- 
Joe Cooper <joe@swelltech.com>
http://www.swelltech.com
Web Caching Appliances and Support
Received on Thu Apr 04 2002 - 11:02:49 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:21 MST