[squid-users] Peer Review of my ACL's

From: Eric Kahklen <eric@dont-contact.us>
Date: Tue, 24 Feb 2004 21:29:31 -0800

Now that I have my squid accelerator working, I need to tighten down my
ACL's. I am allowing SSL traffic in for the reverse proxying of OWA. I
am not offering any other proxying services. Any comments or
suggestions on improving/securing this would be appreciated. Here are
the ACL's I have that were combined with the default conf file:

#Recommended minimum configuration:
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

#MY ADDITIONS PER Squid The Definitive Guide - 2/23/04
acl Exchangebox dst
http_access allow Exchangebox
http_access deny all

# And finally deny all other access to this proxy
http_access allow localhost

# and finally allow by default
http_reply_access allow all

#Allow ICP queries from everyone
icp_access allow all

Thank you,

Received on Tue Feb 24 2004 - 22:29:33 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST