Re: [squid-users] TCP_Denied

From: Raymond Norton <admin@dont-contact.us>
Date: Fri, 12 Sep 2003 23:43:15 -0500

>
> > http_access allow !Safe_ports
> > # http_access allow CONNECT !SSL_ports
>
> Make these two lines:
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> This will keep your Squid box from being exploited to do all sorts of
nasty
> things (including spamming).
>
> > acl Safe_ports port 800 # Squids port (for icons)
>

I forgot all the changes I had made because of this problem. I have changed
things back to the original config, icluding your recommendations. Here is
my present config and a tail of /var/log/squid/access.log. I still get
denied??

1063427751.743 1420 172.21.0.1 TCP_MISS/200 3877 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427751.767 1032 172.21.0.1 TCP_MISS/200 1016 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427751.779 423 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427751.835 473 172.21.0.1 TCP_MISS/200 4648 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427753.229 1 172.21.0.1 TCP_DENIED/407 1457 GET

1063427756.930 5189 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427759.800 8033 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427760.640 8847 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427771.335 1 172.21.0.1 TCP_DENIED/407 1463 GET

1063427771.389 1 172.21.0.1 TCP_DENIED/407 1442

1063427777.160 25362 172.21.0.1 TCP_MISS/200 369 CONNECT map.nwea.org:443
admin DIRECT/66.45.48.119 -

1063427779.746 1 172.21.0.1 TCP_DENIED/407 1300 CONNECT map.nwea.org:443 -
NONE/- -

<squid.conf>

shutdown_lifetime 5 seconds

icp_port 0

http_port 172.21.0.1:800

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_effective_user squid

cache_effective_group squid

pid_filename /var/run/squid.pid

cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /var/log/squid/store.log

log_mime_hdrs off

forwarded_for off

authenticate_program /usr/lib/squid/ncsa_auth /home/.htpasswd

acl password proxy_auth REQUIRED

acl local-servers dstdomain bbe.k12.mn.us map.nwea.org nwea.org

acl all src 0.0.0.0/0.0.0.0

acl localhost src 127.0.0.1/255.255.255.255

acl localnet src 172.21.0.0/255.255.0.0

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

# acl Safe_ports port 800 # Squids port (for icons)

acl Safe_ports port 1433 # skyward

acl Safe_ports port 16125 # skyward

acl Safe_ports port 26125 # skyward

acl Safe_ports port 16126 # ns1

acl Safe_ports port 36125 # extra

acl Safe_ports port 46125 # fintrain

acl Safe_ports port 56125 # stutrain

acl Safe_ports port 81 # ipcop

acl CONNECT method CONNECT

# http_access allow localhost

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

# http_access allow localnet

http_access allow password

always_direct allow local-servers

http_access deny all

maximum_object_size 4096 KB

minimum_object_size 0 KB

cache_mem 2000 KB

cache_dir ufs /var/log/cache 50 16 256

request_body_max_size 0 KB

reply_body_max_size 0 KB
Received on Fri Sep 12 2003 - 22:43:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:43 MST