Amos Jeffries wrote:
>> * To allow anyone in to view http from the internet:-
>> #http_access deny all
>> http_access allow all
>>
>
> Eeek. No, no , no.
>
> The config was clear. Setup an ACL listing the domains you are hosting.
> Permit access to just them not the rest of the Internet via your proxy.
> The recommended config makes Squid act as a partial firewall for attack
> requests. With 'http_access allow all' your backend will be wide open to
> any faked domain lookup designed to hog resources and DoS you.
>
I've read this wrong then. With the config:-
http_access allow manager localhost
http_access allow localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
# And finally deny all other access to this proxy
#http_access deny all
http_access allow all
cache_peer 127.0.0.2 parent 80 0 no-query originserver name=ApacheLocal
cache_peer 127.0.0.3 parent 80 0 no-query originserver name=IISLocal
cache_peer 127.0.0.4 parent 80 0 no-query originserver name=IISLocalBugs
cache_peer 192.168.1.100 parent 80 0 no-query originserver
name=ApacheDebian
cache_peer_domain IISLocalBugs test.domain.com
cache_peer_domain ApacheDebian test2.domain.com
acl iis_bugs_sites dstdomain test.domain.com
acl apache_debian_sites dstdomain test2.domain.com
http_access allow iis_bugs_sites
http_access allow apache_debian_sites
cache_peer_access ApacheLocal deny all
cache_peer_access IISLocal deny all
cache_peer_access IISLocalBugs allow iis_bugs_sites
cache_peer_access IISLocalBugs deny all
cache_peer_access ApacheDebian allow apache_debian_sites
cache_peer_access ApacheDebian deny all
Hmmm... In writing this out I think I've figured the problem. The
http_access deny all was about the later http_access allow for the
domains. I'll test it out, but doing this post for prosperity.
Lyle
Received on Mon Aug 24 2009 - 11:23:44 MDT
This archive was generated by hypermail 2.2.0 : Mon Aug 24 2009 - 12:00:04 MDT