Re: [squid-users] acl list ?

> Hello all,
>
> I have a question regarding acls. I'm having some trouble with
> TCP_DENIED/400 and TCP_DENIED/403 errors. Below you'll see my relevant
> squid.conf info.
>
> For clarification, we are a wireless ISP with about 12,000 subscribers.
> Much of our network is on public ip space. It was built a long time ago
> and has grown. So our squid server is on a public IP address. We have
> many servers, some of which host user websites/forums as well as webmail
> for our customers. When I use the "http_access deny all" after my other
> acls defining our private and public networks, I get the TCP_DENIED
> errors. Customers cannot access their website or webmail. When I look
> at the access log, I see these ip address's with the errors coming from
> off network. So I would deny, correct? The ports associated with the
> errors (2982 3008 3012 3008 3004 3042) are also within the port ranges
> allowed as you can see below. Or is what I see happening is that my
> router is directing port 80 traffic, then squid says "hey, they don't'
> meet any of the permitted networks, but they do meet acl all
> 0.0.0.0/0.0.0.0 so deny". But then that doesn't make sense either. My
> "wccp web-cache redirect out" is placed on the "outgoing" interface of
> the router. Having never worked with a squid cache server before, I'm a
> little confused as to what I am seeing, what squid is doing, and what
> squid is reporting. It what I am seeing related that fact that the
> squid server is on a public IP address? Could I get a little
> clarification here if possible? Thanks again.

With the config below and squid on a public IP, the only thing protecting
Squid from being an open proxy is maybe some firewall rules. Though by the
sounds of it those are not present and may not be possible for you.

Am I correct in understanding that you have an internal space which are
supposed to be allowed through, and also public web services which are
reverse-proxy/accelerated, and one or more routers performing interception
to grab outgoing port 80 requests?

Sounds like time to re-audit the config. I've added some ideas below..

 * The SMTP_port entry makes me think there is more you are keeping private.
That may have some effect on why things are getting 403. For a full audit
we will need to see all of the active config lines, or you can use
"debug_options ALL,0 28,6" to get a full listing of what ACLs are being
tested, in what order, and which ones are producing the 403.

 * if I'm correct about the reverse-proxy for some internal resources
(webmail?) you will need to check or add the reverse-proxy config to
allow access there properly.

 * I'm not sure myself what the WCCP part need to be doing or configured
as. So if its related to that, I may not be very helpful.

>
> acl all src 0.0.0.0/0.0.0.0

acl all src all

> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl noc src 211.22.3.10/32
> acl cache1 src 211.22.2.159/32

> acl masq_networks src 10.5.0.0/18
> acl our_arizona_networks src 211.22.0.0/18
> acl our_iowa_network src 70.100.192.0/21
> acl our_davenport1_network src 70.100.206.0/24
> acl our_davenport2_network src 70.100.207.0/24

These might be condensed into a single ACL:

# Arizona
acl localnet src 211.22.0.0/18
# Iowa
acl localnet src 70.100.192.0/21
# Davenport
acl localnet src 70.100.206.0/24
acl localnet src 70.100.207.0/24
# RFC 1918 private - masq
acl localnet src 10.5.0.0/18

>
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access allow manager cache1
> http_access deny manager
>
> # Deny requests to unknown ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than safe SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Deny Squid CONNECT to SMTP
> http_access deny SMTP_port

The regular SMTP port blockage should be covered by both Safe_Ports and
SSL_Ports (by not being listed as safe)

>
> http_access allow our_arizona_networks
> http_access allow masq_networks
> http_access allow our_iowa_networks
> http_access allow our_davenport1_network
> http_access allow our_davenport2_network

... after the condensing above...
http_access allow localnet

>
> # I'VE OPENED IT UP BECAUSE OF THE ERRORS - NO DENIED ERRORS NOW!! (YUCK
> - FIX ME!!!)
> http_access allow all
>
> # THIS IS WHAT I DID HAVE IN PLACE
> # And finally deny all other access to this proxy
> #http_access deny all
>
> http_port 127.0.0.1:3128 transparent
> http_port 211.22.2.159:3128 transparent
>

Amos
Received on Mon Feb 02 2009 - 22:48:46 MST