Hello Chris,
Thursday, November 24, 2005, 1:44:34 AM, you wrote:
> acl localhost src 127.0.0.1/255.255.255.255 192.168.1.0/255.255.255.255
CR> This is really stretching the definition of "localhost".
I've changed the line to :
acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8 192.168.1.0/255.255.255.255
CR> Same here. Is there really a computer with an IP of 192.168.1.0?
and here to
acl to_localhost dst 127.0.0.0/8
My server IP is 192.168.1.1, so I thought, late at night, that...
>> acl Safe_ports port 12000 #Webmin
CR> This line is redundant. Port 12000 is already included in the range 1025-65535.
I thought so too, so I removed it.
>> acl webmin port 12000
>> acl SSL_ports port 12000 # voir ssl
CR> I'd say one or the other, not both...
I leave the first one.
>> And my HTTP_ACCESS :
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access allow purge localhost
>> http_access deny purge
>>
>> http_access allow webmin
CR> This will allow anyone (even people not on your network) to
CR> connect to any server on port 12000 through your cache.
CR> Considering that you are on a rfc1918 network, the risk is
CR> reduced, but writing secure ACLs is a good habit.
I changed the last line to : http_access allow webmin our_network
>> http_access allow CONNECT webmin
CR> I know I suggested a line similar to this (bad me). It will
CR> allow connections (using the CONNECT method) from any client (even
CR> not on your network) to any server port 12000 through your cache. Better would be...
CR> http_access allow CONNECT webmin our_network
CR> ...as that would at least limit the CONNECT method on port 12000
CR> to computers sourcing from your network.
Changed it to your suggestion.
>> 1132791052.505 11 192.168.1.10 TCP_MISS/200 2269 CONNECT
>> 192.168.1.1:12000 - DIRECT/192.168.1.1 -
>> 1132791052.584 10 192.168.1.10 TCP_MISS/200 2189 CONNECT
>> 192.168.1.1:12000 - DIRECT/192.168.1.1 -
CR> This indicates that the connection is proceeding properly. Note
CR> the 200 after TCP_MISS? The TCP_MISS just indicates that the
CR> connection was via TCP and the resultant data was not in the cache
CR> (not a surprise, considering it's encrypted).
>> When I open my browser, and I choose Webmin, I get the certificate
>> window. Then the error Error - Access denied for 192.168.1.1
CR> Odd. Access denied? That's not shown in the log snippet you
CR> have provided. Perhaps this is Webmin preventing access from your
CR> cache's IP address. Or it's cached data in your browser... Try
CR> clearing your browser cache (or using a different browser) and see if the result is the same.
CR> Chris
I emptied the cache of my browser, reloaded the configuration of
Squid, and still have the same problem :(
Error - Access denied for 192.168.1.1 for the browser
and
1132858337.208 9 192.168.1.10 TCP_MISS/200 1850 CONNECT 192.168.1.1:12000 - DIRECT/192.168.1.1 -
in access.log
Here is the new ACLs and HTTP_ACCESS, so it's clearer :)
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl our_network src 192.168.1.0/25
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl webmin port 12000
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow webmin our_network
http_access allow CONNECT webmin our_network
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow our_network
http_access allow localhost
http_access deny all
Thanx for your help :)
-- Best regards, LeKeiserAmen mailto: LeKeiser@lekeiser.comReceived on Thu Nov 24 2005 - 11:59:08 MST
This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:10 MST