Re: [squid-users] problems with post/get -- may be ! not sure at all :os

Hello,

i've tried out your config but it doesn't works.

My network is simple : i've got a lan at 10.1.1.0/24, all the users are
from an active directory win2000, connecting by Iexplore 5-6. The squid
server is on a proliant, red hat 9 newly installed.
Everyone from my lan can connect the web, I just need to block ftp, icq,
msn, kazaa, edonkey, etc ! you know ! And control the browsing with
squidguard (it works perfectly well)

thank you for your help
Olivier

                                                                           
             Duane Wessels
             <wessels@squid-ca
             che.org> To
                                       olivier.delvigne@acis-group.org
             15/12/2003 17:55 cc
                                       squid-users@squid-cache.org
                                                                   Subject
                                       Re: [squid-users] problems with
                                       post/get -- may be ! not sure at
                                       all :os
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           

Your access controls are very strange

> acl ACISNETWORK src 10.1.1.0/255.255.255.0
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80
> acl CONNECT method GET POST HEAD CONNECT PUT DELETE

> http_access allow manager localhost
> http_access deny manager
> http_access allow ACISNETWORK

The above allows any request from a client in your ACISNETWORK.
It even allows a user to make a CONNECT request to any port, such
as port 25. That allows Squid to be used as a spam relay, and is
a very bad idea.

The rest of these ACLs apply only to request coming from somewhere
except ACISNETWORK.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Since you rediefined CONNECT to include other methods, the above would
deny a GET request to port 80, for example. Probably not what you want to
do. You should leave the CONNECT acl with only the connect method.

> http_reply_access allow ACISNETWORK
> http_access deny ACISNETWORK

The above line is not necessary because any request that matches
ACISNETWORK
was already allowed above and will never reach this point in the rules.

> icp_access deny ACISNETWORK
> http_access deny all
> icp_access deny all

I'm not really sure about your setup, but I think your ACL rules should
probably
look like this:

             acl ACISNETWORK src 10.1.1.0/255.255.255.0
             acl all src 0.0.0.0/0.0.0.0
             acl manager proto cache_object
             acl localhost src 127.0.0.1/255.255.255.255
             acl to_localhost dst 127.0.0.0/8
             acl SSL_ports port 443 563
             acl Safe_ports port 80
             acl CONNECT method CONNECT

             http_access allow manager localhost
             http_access deny manager
             http_access deny CONNECT !SSL_ports
             http_access deny !Safe_ports
             http_access allow ACISNETWORK

You may want to add more ports to Safe_ports. If you have users on other
networks
(besides ACISNETWORK), you should make another ACL for that network and
allow it also.

Duane W.
Received on Tue Dec 16 2003 - 00:22:59 MST