Re: [squid-users] ACL not working as expected

From: Michael Gale <michael.gale@dont-contact.us>
Date: Thu, 8 Jul 2004 11:30:36 -0600

Hello,

        I fixed the problem ... operator error. The acl for goodmethod was only on "httpstand_ports" so I had to add
"ftpstand_ports". So it now looks like this:

##### Methods and browsers
acl goodmethod method GET
acl goodmethod method HEAD
acl goodmethod method POST
http_access deny !goodmethod httpstand_ports
http_access deny !goodmethod ftpstand_ports

Now FTP can only get dir list and download files. No uploads :)

Michael.

On Thu, 8 Jul 2004 11:18:01 -0600
Michael Gale <michael.gale@utilitran.com> wrote:

> Hello,
>
> I have the following ACL's:
>
> ##### Protocol restrictions
> acl goodhttp proto HTTP
> acl goodftp proto FTP
> acl goodhttps proto CONNECT
> http_access deny !goodhttp httpstand_ports
> http_access deny !goodftp ftpstand_ports
> http_access deny !goodhttps SSL_ports
>
> ##### Methods and browsers
> acl goodmethod method GET
> acl goodmethod method HEAD
> acl goodmethod method POST
> http_access deny !goodmethod httpstand_ports
>
> Which should only allow HTTP GET and POST request. I used lftp setting it to use squid for ftp connections and was
> able to upload a file. Now the cache.log says it was ALLOWED but the access.log shows a error ... the file was upload
> successfully.
>
> --snip-- cache.log
> 2004/07/08 11:05:55| The request PUT ftp://michael@mydomain.com/raidtab;type=i is ALLOWED, because it matched
> 'mydomain_http'
> 2004/07/08 11:05:55| The reply for PUT ftp://michael@mydomain.com/raidtab;type=i is ALLOWED,because it matched 'all'
> --snip--
>
> --snip-- access.log
> 1089306355.461 209 192.168.7.75 TCP_MISS/201 971 PUT ftp://michael@mydomin.com/raidtab;type=i -
> DIRECT/EXTERNAL_IP text/html [Host: mydomain.com\r\nUser-Agent: lftp/2.6.7\r\nContent-Length:
> 488\r\nLast-Modified: Tue, 21 Oct 2003 18:18:53 GMT\r\nAuthorization: Basic
> bWljaGFlbDpCbHVlTWlrZTcxMQ==\r\nConnection: close\r\n] [HTTP/1.0 201 Created\r\nServer:
> squid/2.5.STABLE5\r\nMime-Version: 1.0\r\nDate: Thu, 08 Jul 2004 17:05:55 GMT\r\nContent-Type:
> text/html\r\nContent-Length: 617\r\nExpires: Thu, 08 Jul 2004 17:05:55 GMT\r\nX-Squid-Error: ERR_FTP_PUT_CREATED
> 0\r\n\r]
>
>
>
>
> --
> Michael Gale
> Network Administrator
> Utilitran Corporation
>
>
>
>

-- 
Michael Gale
Network Administrator
Utilitran Corporation
Received on Thu Jul 08 2004 - 11:28:36 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:01 MDT