Re: [squid-users] securise squid

From: Henrik Nordstrom <[email protected]>
Date: Wed, 16 Mar 2005 11:58:16 +0100 (CET)

On Wed, 16 Mar 2005, deny1 wrote:

> #Recommended minimum configuration:
> acl localdomain src 192.168.0.0/255.255.255.0
>
> acl eth0 src 192.168.0.0/255.255.255.0

These two looks redundant to me.

> acl users proxy_auth REQUIRED
>
> http_access allow eth0 users

This should be moved last in your http_access rules.

The list of http_access rules is important as they are evaluated in the
order listed. By you having this rule first

> # Only allow cachemgr access from localhost
> http_access allow manager localdomain

Why have you changed this to localdomain? (was localhost)

> http_access allow localdomain

And this should be removed I think. Redundant with the eth0 rule above..
and should also be last (if not removed)

> # Deny requests to unknown ports
> http_access deny manager
> # Deny CONNECT to other than SSL ports
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access deny to_localhost

here is where your custom rules should be.

and you should finish with a

http_access deny all

as in the squid.conf shipped with Squid.

Regards
Henrik
Received on Wed Mar 16 2005 - 03:58:18 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST