AJ Lemke wrote:
> Thanks for the response Joe.
>
> Since I am running in Acceleration Mode will a ACL like this work?
>
> # Access control List
> acl localhost src 127.0.0.1
> acl purge method PURGE
> acl manager proto cache_object
> acl all src 0.0.0.0/0.0.0.0
> acl accelerated_servers dst ***IP LIST GOES HERE***
> acl SSL_Ports port 443 563
> acl SMTP_Ports port 25
> acl CONNECT method CONNECT
>
>
> # Access Area
> http_access deny CONNECT SSL_Ports
> http_access deny CONNECT SMTP_Ports
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access allow all
> http_access allow accelerated_servers
Umm..Shouldn't that be:
http_access deny CONNECT all
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow accelerated_servers
http_access deny all
??
In the above, you've implicitly allowed CONNECT requests to everything
except SSL_Ports (which there is no harm in doing for a normal
proxy...that's what CONNECT is for!), and SMTP_Ports. If you don't need
them, just disallow them all.
You've also allowed all users to browse anywhere by placing the
'http_access allow all' in there. If you don't have other means of
protecting your server, you likely have an open proxy because of that
rule. Converting it to a deny, along with moving the allow
accelerated_servers up one fixes that.
ACLs are interpretted in the order they appear, and the first match
always wins--no more checks happen after the first match. If you 'allow
all', then everything after it will never be reached. Likewise, if you
only prevent CONNECTs to a few ports, that last allow all would permit
CONNECTs to every other port that you didn't specify.
-- Joe Cooper <joe@swelltech.com> Web caching appliances and support. http://www.swelltech.comReceived on Tue Oct 29 2002 - 19:26:30 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:56 MST