Re: [squid-users] miconfigured proxy

From: Henrik Nordstrom <[email protected]>
Date: 21 May 2003 17:04:15 +0200

ons 2003-05-21 klockan 13.57 skrev Chrispen Chisvo:

> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443 563 1214
> acl Safe_ports port 80 21 443 563 70 210 1025-65535 is this safe to keep?
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl mynet src 10.100.1.0/24 10.100.2.0/24 10.100.3.0/24 10.100.4.0/24
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow mynet
> http_access deny all
>
> but is still get machines not on my ip browsing through my proxy
>
> What can I do to secure my proxy.

>From what I can tell the above configuration looks correct.

Make sure there is no other http_access rules before this, and that your
Squid is really running with this configuration. (try restarting Squid
is not sure).

Also, what is logged in access.log for these other IP addresses? If
TCP_DENY then the access rules do work...

The "acl all src 0.0.0.0/0.0.0.0" matches every request by matching any
source IP address (netmask 0.0.0.0 or /0, which masks away the whole IP
address)

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before
asking Squid questions, and use the squid-users mailing-list when no
answer can be found. Private support questions is only answered
for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [email protected]
Received on Wed May 21 2003 - 09:04:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:16:50 MST