Re: [squid-users] ACLs when using accelerator mode ?

On Tuesday 11 June 2002 18:23, you wrote:
> Maarten J H van den Berg wrote:
> > Hi List,
> >
> > I configured squid as accelerator, so in order to give anyone access
> > to the server that's being accelerated, I'd have to make an ACL
> > http_access allow all
> > ... cause otherwise no traffic gets through. Right ?
>
> You need to do access controls, but you should not give full rights to
> everyone.

Okay... But I run an internal server, through squid in accelerator mode
to an internet-address, that indeed _must_ be accessible to the world.

internal server 10.0.0.9
squid box 194.xx.xx.100 and 10.0.0.4

From squid.conf:
httpd_accel_host 10.0.0.9
httpd_accel_port 80
httpd_accel_with_proxy off

> > Does this not leave any (obscure or not) backdoors through which
> > squid can be used as a (thus OPEN!) proxy, despite being an
> > accelerator ?
>
> In most cases the above will cause an open proxy.

Mmmm... Thanks. Noted.

> > How would one make a secure ACL list when the two functions are used
> > together (accelerator+proxy) ? Not that I need or want to, but...
>
> By making proper access lists, listing who is allowed to access what.
>
>
> I.e. something like the following:
>
> acl to_myservers dst ip.of.accelerated.servers ...
> acl from_mynetworks src local.client.networks...

Thus, that becomes, for my case:
acl myhost dst 10.0.0.9/255.255.255.255
acl all src 0.0.0.0/0.0.0.0

> acl http protocol HTTP
> acl port_80 port 80
>
> http_access allow http port_80 to_myservers
> http_access allow from_mynetworks

...which translates to:
http_access allow http port_80 myhost
http_access allow all

That last line would still kill me, wouldn't it ?
Or can I make a statement something like

http_access allow src all dst myhost ?

Is that syntax even legal ?

Maarten

-- 
Maarten J. H. van den Berg   ~~//~~   network administrator
VBVB  -  Amsterdam  -  The Netherlands  -  http://vbvb.nl  
T +31204233288   F +31204233286   G +31651994273