Shiva Raman wrote:
> Hi
>
> I am using Centos 5, Squid Cache: Version 2.6.STABLE6 and
> my local lan network is 192.168.10.0/24. More than 150 users
> are concurrently accessing the squid proxy server.
>
> Following is my requirement
>
> 1) Access to all http sites
> 2) Access to only selected https sites like redhat.com ,paypal.com
> and all other https sites should be denied .
>
> Following is my squid.conf
> ----------------------------
>
>
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /var/log/squid/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 443 # https
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl our_networks src 192.168.10.0/24 192.168.20.0/24
> acl myhttps dstdomain .redhat.com
> http_access allow our_networks
>
This is your first match, and access is allowed. Move this line just
above the "http_access deny all" and remove the "http_access deny
our_networks", and you'll be set.
> http_access deny our_networks SSL_ports !myhttps
> http_access deny our_networks
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname myoffice
> coredump_dir /var/spool/squid
>
>
> ----------------------------------
>
>
> From the above configuration, the problem i am facing here is that all
> the https sites are accessible to the users.
> even if i had allowed only 'myhttps' . Is it possible to block
> specific https sites as per my requirement?
>
> Also Is it neccesary to define prot 443 in both SSL_ports as well as
> Safe_ports?
>
For the best security, yes. Safe_ports allows connecting in general (or
more accurately doesn't deny the connection) to the specified ports,
SSL_Ports specifically allows (doesn't disallow) CONNECT (which is what
browsers use to pass SSL traffic through a proxy.
> When i remove 443 from Safe_ports, i am not able to access any https sites.
>
As the connection is denied by the line "http_access deny !Safe_ports".
>
>
> Thanks for any help
>
> Regards
>
> Shiva Raman .
> SysAdmin
>
For what it's worth, the FAQ section on ACLs
(http://wiki.squid-cache.org/SquidFaq/SquidAcl) is quite readable.
Chris
Received on Fri May 16 2008 - 00:07:28 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT