On Tue, 24 Feb 2004, Eric Kahklen wrote:
> Now that I have my squid accelerator working, I need to tighten down my
> ACL's. I am allowing SSL traffic in for the reverse proxying of OWA. I
> am not offering any other proxying services. Any comments or
> suggestions on improving/securing this would be appreciated. Here are
> the ACL's I have that were combined with the default conf file:
>
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
A bit overkill for the above situation.
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
Ok.
> # Deny requests to unknown ports
> http_access deny !Safe_ports
Ok if this was a Internet proxy.
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
As above.
> #MY ADDITIONS PER Squid The Definitive Guide - 2/23/04
> acl Exchangebox dst 10.0.0.5
> http_access allow Exchangebox
> http_access deny all
Ok.
> # And finally deny all other access to this proxy
> http_access allow localhost
What is this? Clearly not what the comment claims. But you have already
denied everything above so it can never get here.
> # and finally allow by default
> http_reply_access allow all
Ok. Does not need to be specified.
> #Allow ICP queries from everyone
> icp_access allow all
You don't want ICP in a reverse proxy. In fact I would recommend you to
distable icp entirely (see icp_port).
I would propose something like the following configuration for your
reverse proxy:
# Base ACLs
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl http protocol http
acl port80 port 80
acl https protocol https
acl port443 port 443
# Only allow cachemgr access from localhost
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager
# Allow access to our servers
acl Exchangebox dst 10.0.0.5
http_access allow https port443 Exchangebox
[or if you are using Squid-3 with cache_peer based forwarding]
acl Exchangebox dstdomain the.official.fqdn.requested.by.clients
http_access allos https port443 Exchangebox
# And finally deny all other access to this proxy
http_access deny all
# Disable ICP
icp_port 0
Regards
Henrik
Received on Wed Feb 25 2004 - 02:53:58 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST