On 21.05.2012 15:19, Ali Esf wrote:
> hello dear Amos
> according to your reply to my last email i change the configuration
> of the squid to the following:
> we need authentication only by user name password over wan and do not
> need any proxy access from lan.
> is it a good configuration?
That is okay. I was just checking you were aware of and wanted it.
The new config you show seems to have dropped that policy and moved to
authenticating everyone.
The problem was with the "allow all" at the end of the http_access
config. You fixed that now.
>
>
> NOTE: You dropped the CONNECT safety rule.
> what do you mean by this statement?
> is it possible to explain it?
The default config supplies a line, which you are still missing from
your config:
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_Ports
What that does is prevent clients pushing anonymous binary tunnels
through your Squid to any port they want.
Allowing CONNECT tunnels is a major problem, since it does not have to
be done with your clients knowledge. It is very much the same as
configuring your networks border firewall with "Allow all". It can be
abused by malware installed on the client machines or even just a
malicious javascript running in a web advert.
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
>
>
> # We strongly recommend the following be uncommented to protect
> innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP
> networks
> # from where browsing should be allowed
> http_access allow user_pass_auth
> http_access deny all
>
> access_log none
>
> cache_store_log none
>
> cache_log /dev/null
This is not good. Squid requires a cache_log file for critical error
messages.
If you can, run squid as "debug_options ALL,1" and fix the warnings so
there are no messages. Warnings at level 1 are problems which affect the
client experience in a bad way, but do not cause fatal problems to
Squid.
Or set "debug_options ALL,0" to limit Squid to only producing critical
errors. The messages appearing at level 0 once Squid is operating are
often the only sign you have about why squid is crashing. They *need* to
be fixed, ASAP.
Amos
Received on Mon May 21 2012 - 22:37:18 MDT
This archive was generated by hypermail 2.2.0 : Tue May 22 2012 - 12:00:04 MDT