Re: [squid-users] ACL and localhost problems from Calvin Smith on 2002-08-08 (squid-users)

From: Calvin Smith <calvins@dont-contact.us>
Date: Thu, 8 Aug 2002 20:46:11 -0700

In this test I do not want to allow for the local network. I am using a web
content filter (Dansguardian) to listen on port 8080 and then direct to 3128
of squid. I do not want users to be able to connect directly to squid. The
web content filter is on the same system and it was my thought that it would
use localhost. The howto's on Dansguardian speak of this and even some of
the archives from this list seem to point that way. As I said in the
example below, although I may not have worded it correctly, if I change the
line reading "http_access allow localhost" to "http_access allow all"
everyone can get to and use the proxy. This is allowed by "acl all src
0.0.0.0/0.0.0.0 unless I am mistaken.

I hope that this makes more sense.

snip ...
.
.
>There does not seem to be an allow for your local network

>eg

>acl localnet 192.168.0.0/24
>http_access allow localnet

>Without this you follow the final rule which is deny all

snip...
.

> >I have searched the list archives and can not find out why my setup
doesn't
> >seem to work. The problem I am having is I am denied access when I use
the
> >following squid.conf:

> >acl all src 0.0.0.0/0.0.0.0
> >acl manager proto cache_object
> >acl localhost src 127.0.0.1/255.255.255.255
> >acl SSL_ports port 443 563
> >acl Safe_ports port 80 # http
> >acl Safe_ports port 21 # ftp
> >acl Safe_ports port 443 563 # https, snews
> >acl Safe_ports port 70 # gopher
> >acl Safe_ports port 210 # wais
> >acl Safe_ports port 1025-65535 # unregistered
ports
> >acl Safe_ports port 280 # http-mgmt
> >acl Safe_ports port 488 # gss-http
> >acl Safe_ports port 591 # filemaker
> >acl Safe_ports port 777 # multiling
http
> >acl CONNECT method CONNECT
> >#
> ># Only allow cachemgr access from localhost
> >http_access allow manager localhost
> >http_access deny manager
> ># Deny requests to unknown ports
> >http_access deny !Safe_ports
> ># Deny CONNECT to other than SSL ports
> >http_access deny CONNECT !SSL_ports
> >#
> >http_access allow localhost
> >#
> >http_access deny all

> >If I remove the localhost and allow all or if I add authentication and
only
> >allow authenticated users everything works OK.
> >I am running this on FreeBSD 4.4 and squid 2.4. I think I must be
missing
> >something simple and so maybe another set of eyes will see it.

> >Thanks
Received on Thu Aug 08 2002 - 21:45:48 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:34 MST