Luca Dell'Oca wrote:
> On 5/13/08 4:00 PM, "Amos Jeffries" <squid3_at_treenet.co.nz> wrote:
>
>>> acl Java browser Java/1.4 Java/1.5
>>> http_access allow Java
>> Ah, bingo. great big security hole.
>> Anyone claiming to be Java now gets unlimited web browsing. And I do
>> mean ANYONE, anywhere on the net.
>
> I've said I am a newbie :-) So, how should I write this one? I found the
> example on the internet and tought it would be right.
:-) so many pages on the net need re-writing.
Add an acl listing the internal network IP ranges that are supposed to
be okay sources.
http_access allow Java localnet
That will cut down the hole to only internal abusers. Still not even
rating 'great'. But a lot better than open.
Even better would be to drop it down the list as far as it can go. So as
many of the denials as possible can do their magic.
>
>>> http_access allow localhost
>>> http_access deny blockcache AuthUser
>>> http_access allow allowedurls AuthUser
>>> acl lunchbreak time D 13:00-14:00
>>> acl lunchbreaksites dstdomain "/etc/squid/lunchbreaksites"
>>> http_access allow lunchbreak lunchbreaksites
>>>
>> So far it looks okay. Those are all everyone-or-nobody right?
>
> Exactly, we have caching sites like google and yahoo in "blockcache" file
> and sites everyone can see in "allowedurls". Same for "lunchbreaksites",
> everyone during this period can see those sites.
>
>>> # User by user ACL:
>>>
>>> acl administrator proxy_auth REQUIRED
>>> acl assistenza proxy_auth REQUIRED
>> Here is where the problems start.
>> 'REQUIRED' means only that the person MUST login. Squid does not care
>> what the username/password is, just that it authenticates.
>>
>> To get specific user having access to a specific site you need to list
>> the username in the acl. Like so:
>>
>> acl administrator proxy_auth admin Administrator
>> acl assistent proxy_auth john
>>
>> For small sites or sort lists its usable.
>> For larger sites or ones where you want a better control than manually
>> typing each out. external_acl_type is you friend.
>>
>> An external ACL script can take the %LOGIN and %DST etc and lookup a
>> database of who and where they are allowed. The result can be used in
>> one place to allow/deny.
>> http://www.squid-cache.org/Versions/v2/2.6/cfgman/external_acl_type.html
>>
>> external_acl_type blah .....
>> acl foo external blah
>> http_access allow foo
>> http_access deny all
>
> Thanks so much for the hint, I will try on Monday when I'll be back to
> office. Right now I think we will use the internal list in squid.conf, since
> we have not so many users, but I'll try also the sexternal_acl, so I can
> learn something for the future!!!
>
> I will let you know about the tests.
>
> Luca.
Amos
-- Please use Squid 2.6.STABLE20 or 3.0.STABLE5Received on Thu May 15 2008 - 14:05:55 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT