Re: [squid-users] ACL and localhost problems

From: Calvin Smith <calvins@dont-contact.us>
Date: Sat, 10 Aug 2002 10:48:19 -0700

I have found the problem. The original settings would work just fine. The
problem was in my content filter. I had specified the ip address of the
system that the content filter would use and I should have entered localhost
or 127.0.0.1. Thank you for all the responses.

----- Original Message -----
From: "Simon Bryan" <sbryan@olmc.nsw.edu.au>
To: "Squid-Users" <squid-users@squid-cache.org>
Sent: Thursday, August 08, 2002 11:46 PM
Subject: RE: [squid-users] ACL and localhost problems

> > These are the relevant pasrts of my conf file and it works as you
> > want, only allows access to Squid from localhost (DG)
> > Note that I am using smb proxy authentication hence the password
> > lines howeve http_access deny !localhost should work. I don't
> > like the straight 'allow localhost' as this does not generate a
> > match and allows acl processing to continue, by using the
> > !localhost you match and are denied straight away if coming from
> > another system.
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl cachemanager src 10.192.0.15
> > acl SSL_ports port 443 563 4545
> > acl Safe_ports port 21 70 80 81 82 88 210 443 563 1010 4545 1082
> > 1025-65535
> > acl CONNECT method CONNECT
> > acl FTPDownloads proto ftp
> > acl PUT method PUT
> >
> >
> >
> > http_access deny FTPDownloads PUT
> > http_access allow manager localhost
> > http_access allow manager cachemanager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access deny manager
> > http_access allow local_servers
> > http_access deny !localhost password
> > http_access allow olmcwarnings
> > http_access allow masters
> > http_access deny FTPDownloads
> > http_access allow all
> > http_access deny all
> >
> >
> > > -----Original Message-----
> > > From: Calvin Smith [mailto:calvins@csts.org]
> > > Sent: Friday, 9 August 2002 1:46 PM
> > > To: squid-users@squid-cache.org
> > > Subject: Re: [squid-users] ACL and localhost problems
> > >
> > >
> > > In this test I do not want to allow for the local network. I am
> > > using a web
> > > content filter (Dansguardian) to listen on port 8080 and then
> > > direct to 3128
> > > of squid. I do not want users to be able to connect directly to
> > > squid. The
> > > web content filter is on the same system and it was my thought
> > > that it would
> > > use localhost. The howto's on Dansguardian speak of this and
> > even some of
> > > the archives from this list seem to point that way. As I said in the
> > > example below, although I may not have worded it correctly, if I
> > > change the
> > > line reading "http_access allow localhost" to "http_access allow all"
> > > everyone can get to and use the proxy. This is allowed by "acl all
src
> > > 0.0.0.0/0.0.0.0 unless I am mistaken.
> > >
> > > I hope that this makes more sense.
> > >
> > > snip ...
> > > .
> > > .
> > > >There does not seem to be an allow for your local network
> > >
> > > >eg
> > >
> > > >acl localnet 192.168.0.0/24
> > > >http_access allow localnet
> > >
> > > >Without this you follow the final rule which is deny all
> > >
> > > snip...
> > > .
> > >
> > > > >I have searched the list archives and can not find out why my setup
> > > doesn't
> > > > >seem to work. The problem I am having is I am denied access
> > when I use
> > > the
> > > > >following squid.conf:
> > >
> > > > >acl all src 0.0.0.0/0.0.0.0
> > > > >acl manager proto cache_object
> > > > >acl localhost src 127.0.0.1/255.255.255.255
> > > > >acl SSL_ports port 443 563
> > > > >acl Safe_ports port 80 # http
> > > > >acl Safe_ports port 21 # ftp
> > > > >acl Safe_ports port 443 563 #
> > https, snews
> > > > >acl Safe_ports port 70 # gopher
> > > > >acl Safe_ports port 210 # wais
> > > > >acl Safe_ports port 1025-65535 #
> > unregistered
> > > ports
> > > > >acl Safe_ports port 280
> > # http-mgmt
> > > > >acl Safe_ports port 488
> > # gss-http
> > > > >acl Safe_ports port 591
> > # filemaker
> > > > >acl Safe_ports port 777 #
> > multiling
> > > http
> > > > >acl CONNECT method CONNECT
> > > > >#
> > > > ># Only allow cachemgr access from localhost
> > > > >http_access allow manager localhost
> > > > >http_access deny manager
> > > > ># Deny requests to unknown ports
> > > > >http_access deny !Safe_ports
> > > > ># Deny CONNECT to other than SSL ports
> > > > >http_access deny CONNECT !SSL_ports
> > > > >#
> > > > >http_access allow localhost
> > > > >#
> > > > >http_access deny all
> > >
> > >
> > > > >If I remove the localhost and allow all or if I add
> > authentication and
> > > only
> > > > >allow authenticated users everything works OK.
> > > > >I am running this on FreeBSD 4.4 and squid 2.4. I think I must be
> > > missing
> > > > >something simple and so maybe another set of eyes will see it.
> > >
> > > > >Thanks
> > >
> > >
>
Received on Sat Aug 10 2002 - 11:48:02 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:35 MST