RE: [squid-users] ACL and localhost problems

From: Simon Bryan <[email protected]>
Date: Fri, 9 Aug 2002 16:46:24 +1000

> These are the relevant pasrts of my conf file and it works as you
> want, only allows access to Squid from localhost (DG)
> Note that I am using smb proxy authentication hence the password
> lines howeve http_access deny !localhost should work. I don't
> like the straight 'allow localhost' as this does not generate a
> match and allows acl processing to continue, by using the
> !localhost you match and are denied straight away if coming from
> another system.
>
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl cachemanager src 10.192.0.15
> acl SSL_ports port 443 563 4545
> acl Safe_ports port 21 70 80 81 82 88 210 443 563 1010 4545 1082
> 1025-65535
> acl CONNECT method CONNECT
> acl FTPDownloads proto ftp
> acl PUT method PUT
>
>
>
> http_access deny FTPDownloads PUT
> http_access allow manager localhost
> http_access allow manager cachemanager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny manager
> http_access allow local_servers
> http_access deny !localhost password
> http_access allow olmcwarnings
> http_access allow masters
> http_access deny FTPDownloads
> http_access allow all
> http_access deny all
>
>
> > -----Original Message-----
> > From: Calvin Smith [mailto:calvins@csts.org]
> > Sent: Friday, 9 August 2002 1:46 PM
> > To: squid-users@squid-cache.org
> > Subject: Re: [squid-users] ACL and localhost problems
> >
> >
> > In this test I do not want to allow for the local network. I am
> > using a web
> > content filter (Dansguardian) to listen on port 8080 and then
> > direct to 3128
> > of squid. I do not want users to be able to connect directly to
> > squid. The
> > web content filter is on the same system and it was my thought
> > that it would
> > use localhost. The howto's on Dansguardian speak of this and
> even some of
> > the archives from this list seem to point that way. As I said in the
> > example below, although I may not have worded it correctly, if I
> > change the
> > line reading "http_access allow localhost" to "http_access allow all"
> > everyone can get to and use the proxy. This is allowed by "acl all src
> > 0.0.0.0/0.0.0.0 unless I am mistaken.
> >
> > I hope that this makes more sense.
> >
> > snip ...
> > .
> > .
> > >There does not seem to be an allow for your local network
> >
> > >eg
> >
> > >acl localnet 192.168.0.0/24
> > >http_access allow localnet
> >
> > >Without this you follow the final rule which is deny all
> >
> > snip...
> > .
> >
> > > >I have searched the list archives and can not find out why my setup
> > doesn't
> > > >seem to work. The problem I am having is I am denied access
> when I use
> > the
> > > >following squid.conf:
> >
> > > >acl all src 0.0.0.0/0.0.0.0
> > > >acl manager proto cache_object
> > > >acl localhost src 127.0.0.1/255.255.255.255
> > > >acl SSL_ports port 443 563
> > > >acl Safe_ports port 80 # http
> > > >acl Safe_ports port 21 # ftp
> > > >acl Safe_ports port 443 563 #
> https, snews
> > > >acl Safe_ports port 70 # gopher
> > > >acl Safe_ports port 210 # wais
> > > >acl Safe_ports port 1025-65535 #
> unregistered
> > ports
> > > >acl Safe_ports port 280
> # http-mgmt
> > > >acl Safe_ports port 488
> # gss-http
> > > >acl Safe_ports port 591
> # filemaker
> > > >acl Safe_ports port 777 #
> multiling
> > http
> > > >acl CONNECT method CONNECT
> > > >#
> > > ># Only allow cachemgr access from localhost
> > > >http_access allow manager localhost
> > > >http_access deny manager
> > > ># Deny requests to unknown ports
> > > >http_access deny !Safe_ports
> > > ># Deny CONNECT to other than SSL ports
> > > >http_access deny CONNECT !SSL_ports
> > > >#
> > > >http_access allow localhost
> > > >#
> > > >http_access deny all
> >
> >
> > > >If I remove the localhost and allow all or if I add
> authentication and
> > only
> > > >allow authenticated users everything works OK.
> > > >I am running this on FreeBSD 4.4 and squid 2.4. I think I must be
> > missing
> > > >something simple and so maybe another set of eyes will see it.
> >
> > > >Thanks
> >
> >
Received on Fri Aug 09 2002 - 00:45:45 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:34 MST