[squid-users] RE: https Webmin using port 12000 doesn't work anymore with Squid

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 23 Nov 2005 15:44:34 -0900

> -----Original Message-----
> From: LeKeiserAmen [mailto:LeKeiser@lekeiser.com]
> Sent: Wednesday, November 23, 2005 3:13 PM
> To: squid-users@squid-cache.org
> Subject: Re[2]: [squid-users] Re[2]: https Webmin using port 12000
> doesn't work anymore with Squid
>
>
> Hello Chris,
>
> Wednesday, November 23, 2005, 9:59:54 PM, you wrote:
>
>
> CR> The CONNECT method is only allowed to ports 443, 563 and 873
> CR> (deny CONNECT, unless it's to a port listed in
> SSL_Ports). If you add...
>
> CR> acl SSL_Ports port 12000 # Webmin
>
> CR> ...to your ACL list you would be set. Even better would be to
> CR> define your Webmin host, and allow it specifically.
> Instead of adding the above, add...
>
> CR> acl webmin_host dstdomain webmin.mynet.dom
> CR> acl webmin_port port 12000
> CR> http_access allow CONNECT webmin_host webmin_port
> CR> http_access deny CONNECT !SSL_ports # Existing line
>
> CR> Chris
>
> I tried what you suggested, it didn't work :(
>
> Here are my ACLs :
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255 192.168.1.0/255.255.255.255

This is really stretching the definition of "localhost".

> acl to_localhost dst 127.0.0.0/8 192.168.1.0/255.255.255.255

Same here. Is there really a computer with an IP of 192.168.1.0?

>
> acl our_network src 192.168.1.0/25
>
> acl SSL_ports port 443 563 # https, snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 12000 #Webmin

This line is redundant. Port 12000 is already included in the range 1025-65535.

> acl webmin port 12000
> acl SSL_ports port 12000 # voir ssl

I'd say one or the other, not both...

> acl purge method PURGE
> acl CONNECT method CONNECT
>
> And my HTTP_ACCESS :
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
>
> http_access allow webmin

This will allow anyone (even people not on your network) to connect to any server on port 12000 through your cache. Considering that you are on a rfc1918 network, the risk is reduced, but writing secure ACLs is a good habit.

> http_access allow CONNECT webmin

I know I suggested a line similar to this (bad me). It will allow connections (using the CONNECT method) from any client (even not on your network) to any server port 12000 through your cache. Better would be...

http_access allow CONNECT webmin our_network

...as that would at least limit the CONNECT method on port 12000 to computers sourcing from your network.

>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow our_network
> http_access allow localhost
>
> http_access deny all
>
> I get the error :
> 1132791052.505 11 192.168.1.10 TCP_MISS/200 2269 CONNECT
> 192.168.1.1:12000 - DIRECT/192.168.1.1 -
> 1132791052.584 10 192.168.1.10 TCP_MISS/200 2189 CONNECT
> 192.168.1.1:12000 - DIRECT/192.168.1.1 -
>

This indicates that the connection is proceeding properly. Note the 200 after TCP_MISS? The TCP_MISS just indicates that the connection was via TCP and the resultant data was not in the cache (not a surprise, considering it's encrypted).

> When I open my browser, and I choose Webmin, I get the certificate
> window. Then the error Error - Access denied for 192.168.1.1
>

Odd. Access denied? That's not shown in the log snippet you have provided. Perhaps this is Webmin preventing access from your cache's IP address. Or it's cached data in your browser... Try clearing your browser cache (or using a different browser) and see if the result is the same.

>
> Thanx for your help :)
>
> --
> Best regards,
> LeKeiserAmen
> mailto: LeKeiser@lekeiser.com
>
>

Chris
Received on Wed Nov 23 2005 - 17:44:35 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:10 MST