Re: [squid-users] limiting connection not working 3.1.4 from Amos Jeffries on 2011-12-06 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 06 Dec 2011 23:34:18 +1300

On 6/12/2011 11:04 p.m., J. Webster wrote:
>>> http_access deny manager
>>> http_access allow ncsa_users
>> So all logged in users have unlimited access?
>>
>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access deny to_localhost
>>> http_access deny maxuser
>> These deny rules are placed below the allow rule letting ALL logged in
>> users through.
>> This means that for all machines on the Internet which can supply one
>> of your users insecure plain-text logins:
>> * the safe_ports rule preventing viral and P2P abuse relaying through
>> Squid has no effect
>> * the CONNECT rule preventing blind binary tunneling of data to any
>> protocol port through Squid has no effect.
>> * you maxuser policy has no effect.
> So, I should apply the deny rules above the allow ncsa_users line?
> eg
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access deny maxuser
> http_access deny manager
> http_access allow ncsa_users

Yes.

Although in the case of maxuser, that needs auth credentials to operate.
It may trigger auth itself, but if not make that line "deny ncsa_users
maxuser".

>
>
>>> http_access allow localhost
>>> http_access deny all
>>> icp_access allow all
>>> http_port 8080
>>> http_port xx.xx.xx.xx:80
>> And what are you expecting to arrive over port 80?
>> That port is reserved for reverse-proxy and origin server traffic.
>>
> I have squid listening on port 80 and 8080 because some clients cannot connect on port 8080

Ah, okay fair enough.

>
>>> visible_hostname MyNameProxyServer
>> Funny domain name. I hope that is obfuscated for the post not in the
>> config.
>> This is the domain name used in URLs your clients get told to use for
>> Squid error and FTP page icons. If it does not resolve back to this or
>> another Squid your clients will be facing page load problems on those
>> generated responses.
> I thought this was just the name presented to the users when they logged on.
> If it is meant to be a domain name should it be:
> visible_hostname www.mynameproxyserver.com
> ?

Yes it is used in URLs.

Ideally Squid will auto-detect the boxes FQDN hostname and you don't
need to set it explicitly. But for Squid will do DNS verification that
the apparent hostname resolves before using it. So if the hostname has
no DNS entry it needs setting.

Amos
Received on Tue Dec 06 2011 - 10:34:31 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 06 2011 - 12:00:03 MST