Re: [squid-users] Hole in my thinking

From: Bobby <bobby@dont-contact.us>
Date: Thu, 7 Jun 2007 21:27:39 -0400

On Thursday 07 June 2007 20:01:02 Chris Robertson wrote:
> Bobby wrote:
> > Hi List,
> >
> > I've been battling with this configuration and at this point I don't
> > think I'm seing straight. The idea is to have a few groups with some
> > specific access tables for each of them. But somehow, besides for
> > manager, it either lets them all through or none, rather than following
> > the valid -http access lists.
> >
> > Please help me see the errors of my way!
> >
> >
> > This is running on openbsd where pf is redirecting traffic from 80 to
> > 3128 on the loopback device.
> >
> > --------------------------------------------------
> > http_port 3128
> >
> > hierarchy_stoplist cgi-bin ?
> >
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 5203
> > acl CONNECT method CONNECT
> >
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access deny to_localhost
> >
> > acl our_networks src 172.16.10.0/24
> > #http_access allow our_networks
> >
> > http_access allow Safe_ports
>
> Here is the first line that matches. Everyone is allowed through (as
> long as they are trying to access a Safe_port). Is this just here while
> you test?

Yes, there are no Safe_ports defined.

> > # Each src file has a list of internal IP's, and each dst file
> > #has a list of domains they can visit.
> > acl operators-src src "/etc/squid/T_operators"
> > acl operators-dst dst "/etc/squid/T_operators-http"
>
> Hard to diagnose a problem without knowing what the contents of these
> files are...

Either RFC 1918 network addresses (172.16.10.nn) in -src files, or routable
IP's of websites in -dst files.

> > acl managers-src src "/etc/squid/T_managers"
> > acl managers-dst dst "/etc/squid/T_managers-http"
> > acl servers-src src "/etc/squid/T_servers"
> > acl servers-dst dst "/etc/squid/T_servers-http"
> > acl finance-src src "/etc/squid/T_finance"
> > acl finance-dst dst "/etc/squid/T_finance-http"
> > acl admins-src src "/etc/squid/T_admins"
> > acl admins-dst dst all
>
> Perhaps the "all" keyword works as you expect it to, but it seems to me
> that it would be better to define it as an explicit destination IP
> (0.0.0.0/0).

OK.

> > acl clients src 0.0.0.0/0.0.0.0
> > acl client-http dst 172.16.10.3
> >
> > http_access allow managers-src managers-dst
> > http_access allow operators-src operators-dst
> > http_access allow admins-src admins-dst
> > http_access allow servers-src servers-dst
> > http_access allow finance-src finance-dst
> > http_access allow clients client-http
> >
> > http_access deny all
> > http_reply_access deny all
>
> Whoa. You probably don't want to do this. http_reply_access controls
> what responses to your client's queries are allowed. Here you are
> rejecting all responses...

Was not sure about it so I tried both. Already fixed it, thanks.
Unfortunately I don't have local access so I can only test during certain
hours.

> > icp_access allow all
> >
> > visible_hostname gw0.example.com
> >
> > httpd_accel_host virtual
> > httpd_accel_port 80
> > httpd_accel_with_proxy on
> > httpd_accel_uses_host_header on
> > coredump_dir /var/squid/cache
>
> Chris

In the end do you see any reason why operators can get out but not servers?

T_admins =
172.16.10.15
172.16.10.21
172.16.10.25

T_admins-http =
0.0.0.0

T_finance =
172.16.10.146
172.16.10.76

T_finance-http =
adobe.com
amsouth.com
anywho.com
arin.net

T_managers =
172.16.10.81
172.16.10.34
172.16.10.78

T_managers-http =
adobe.com
amsouth.com
anywho.com
arin.net

T_operators =
172.16.10.105
172.16.10.107
172.16.10.112
172.16.10.114
172.16.10.115
172.16.10.116

T_operators-http =
cordia.com
targusinfo.com
disney.go.com
av-wireless.com

T_servers =
172.16.10.81
172.16.10.35
172.16.10.24
172.16.10.12

T_servers-http =
microsoft.com
av-wireless.com

-- 
Bobby
Received on Thu Jun 07 2007 - 19:27:46 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT