RE: [squid-users] limiting connection not working 3.1.4

From: J. Webster <webster_jack_at_hotmail.com>
Date: Tue, 6 Dec 2011 10:04:41 +0000

> > http_access deny manager
> > http_access allow ncsa_users
>
> So all logged in users have unlimited access?
>
>
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access deny to_localhost
> > http_access deny maxuser
>
> These deny rules are placed below the allow rule letting ALL logged in
> users through.
> This means that for all machines on the Internet which can supply one
> of your users insecure plain-text logins:
> * the safe_ports rule preventing viral and P2P abuse relaying through
> Squid has no effect
> * the CONNECT rule preventing blind binary tunneling of data to any
> protocol port through Squid has no effect.
> * you maxuser policy has no effect.

So, I should apply the deny rules above the allow ncsa_users line?
eg
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny maxuser
http_access deny manager
http_access allow ncsa_users

>
> > http_access allow localhost
> > http_access deny all
> > icp_access allow all
> > http_port 8080
> > http_port xx.xx.xx.xx:80
>
> And what are you expecting to arrive over port 80?
> That port is reserved for reverse-proxy and origin server traffic.
>
I have squid listening on port 80 and 8080 because some clients cannot connect on port 8080

> > visible_hostname MyNameProxyServer
>
> Funny domain name. I hope that is obfuscated for the post not in the
> config.
> This is the domain name used in URLs your clients get told to use for
> Squid error and FTP page icons. If it does not resolve back to this or
> another Squid your clients will be facing page load problems on those
> generated responses.

I thought this was just the name presented to the users when they logged on.
If it is meant to be a domain name should it be:
visible_hostname www.mynameproxyserver.com
?

Thanks

                                               
Received on Tue Dec 06 2011 - 10:04:52 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 06 2011 - 12:00:03 MST