Re: [squid-users] How to disable Regular Proxy Access under Interception Mode?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 10 Jun 2011 18:38:35 +1200

On 09/06/11 23:11, kkk kkk wrote:
> Hi everyone,
>
> I'm running Squid 3.1 in Interception mode that is set to intercept
> traffic to a list of 10 websites.
> One security concern I have is that anyone in my ACL can enter my
> proxy IP and port in their browser and use it as a regular proxy.
>
> Is there a way to disable this access? If I can disable this access,

You fail to say which NAT infrastructure is being used to intercept.

The Linux intercept examples have been updated to include rules in the
"mangle" netfilter table which provide this protection.
   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

If you are using some other form of NAT, nobody has (yet) provided any
extra details about solving this problem.

> no one can abuse my service because I can control what dstDomains will
> use my proxy.

Your configuration displays that this claim is probably false. see below.

>
> This is my current setup:
>
> acl allowed_IP src IP
> http_access allow allowed_IP

Anyone in the allowed_IP list can do anything they like regardless of
domain.

> http_access deny all
>
>
> Only Domains want to allow access:
> acl allowed_domains dstdomain
>
>
> If it's not theoretical possible, how can I write an ACL combo that
> only allow "allowed_ip" to access "allowed_domains" instead of
> accessing everything once it's allowed?

Access controls in Squid are complete boolean logic language. Anything
that can be described in if-else form can be configured.
   http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.8 and 3.1.12.2
Received on Fri Jun 10 2011 - 06:40:01 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 10 2011 - 12:00:01 MDT