Re: [squid-users] Peer Review of my ACL's

From: Eric Kahklen <eric@dont-contact.us>
Date: Wed, 25 Feb 2004 08:12:43 -0800

One correction incase other follow this thread down the line.

acl http protocol http

should be:

acl http proto http

Thanks again!!!

Eric

Henrik Nordstrom wrote:

>On Tue, 24 Feb 2004, Eric Kahklen wrote:
>
>
>
>>Now that I have my squid accelerator working, I need to tighten down my
>>ACL's. I am allowing SSL traffic in for the reverse proxying of OWA. I
>>am not offering any other proxying services. Any comments or
>>suggestions on improving/securing this would be appreciated. Here are
>>the ACL's I have that were combined with the default conf file:
>>
>>#Recommended minimum configuration:
>>acl all src 0.0.0.0/0.0.0.0
>>acl manager proto cache_object
>>acl localhost src 127.0.0.1/255.255.255.255
>>acl to_localhost dst 127.0.0.0/8
>>acl SSL_ports port 443 563
>>acl Safe_ports port 80 # http
>>acl Safe_ports port 21 # ftp
>>acl Safe_ports port 443 563 # https, snews
>>acl Safe_ports port 70 # gopher
>>acl Safe_ports port 210 # wais
>>acl Safe_ports port 1025-65535 # unregistered ports
>>acl Safe_ports port 280 # http-mgmt
>>acl Safe_ports port 488 # gss-http
>>acl Safe_ports port 591 # filemaker
>>acl Safe_ports port 777 # multiling http
>>acl CONNECT method CONNECT
>>
>>
>
>A bit overkill for the above situation.
>
>
>
>># Only allow cachemgr access from localhost
>>http_access allow manager localhost
>>http_access deny manager
>>
>>
>
>Ok.
>
>
>
>># Deny requests to unknown ports
>>http_access deny !Safe_ports
>>
>>
>
>Ok if this was a Internet proxy.
>
>
>
>># Deny CONNECT to other than SSL ports
>>http_access deny CONNECT !SSL_ports
>>
>>
>
>As above.
>
>
>
>>#MY ADDITIONS PER Squid The Definitive Guide - 2/23/04
>>acl Exchangebox dst 10.0.0.5
>>http_access allow Exchangebox
>>http_access deny all
>>
>>
>
>Ok.
>
>
>
>># And finally deny all other access to this proxy
>>http_access allow localhost
>>
>>
>
>What is this? Clearly not what the comment claims. But you have already
>denied everything above so it can never get here.
>
>
>
>># and finally allow by default
>>http_reply_access allow all
>>
>>
>
>Ok. Does not need to be specified.
>
>
>
>>#Allow ICP queries from everyone
>>icp_access allow all
>>
>>
>
>You don't want ICP in a reverse proxy. In fact I would recommend you to
>distable icp entirely (see icp_port).
>
>
>
>
>
>I would propose something like the following configuration for your
>reverse proxy:
>
># Base ACLs
>acl all src 0.0.0.0/0.0.0.0
>acl localhost src 127.0.0.1/255.255.255.255
>acl http protocol http
>acl port80 port 80
>acl https protocol https
>acl port443 port 443
>
># Only allow cachemgr access from localhost
>acl manager proto cache_object
>http_access allow manager localhost
>http_access deny manager
>
># Allow access to our servers
>acl Exchangebox dst 10.0.0.5
>http_access allow https port443 Exchangebox
>
>[or if you are using Squid-3 with cache_peer based forwarding]
>
>acl Exchangebox dstdomain the.official.fqdn.requested.by.clients
>http_access allos https port443 Exchangebox
>
># And finally deny all other access to this proxy
>http_access deny all
>
># Disable ICP
>icp_port 0
>
>
>
>Regards
>Henrik
>
>
>
>
>
>
Received on Wed Feb 25 2004 - 09:12:46 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST