On 24/05/2012 6:45 a.m., Jeff MacDonald wrote:
> Hi,
>
> I can't put the access rules above the acl definition if that was what you meant. but incase that isn't what you meant.. i did re-order it a bit and this is what i have now.. still no access.
>
> FYI, i'm trying to access it using the cache manager cgi which runs on the same server
If you have a current squid (3.1 series) "localhost" is also using the
IP address ::1. This may need adding to your ACL definition.
For your current problem though see below ...
>
> root_at_proxy:~# !gre
> grep -e ^acl -e ^http_acc /etc/squid3/squid.conf
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl westhants proxy_auth REQUIRED
> acl westhants-network src 192.168.11.0/24
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
In general you can consider squid.conf somewhat of a script programming
Squid what to do with a request.
As such, when needing to check whether an HTTP request is allowed to be
processed by Squid it does the following...
> http_access allow westhants
Step 1)
1a) test "westhants" ACL.
1b) send 407 message to locate client credentils.
Step 2) - there is no 2, see 1b for why.
> http_access allow localhost
> http_access allow westhants-network
> http_access allow manager localhost
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
Consider the logic of:
deny A
deny B
deny everything
Why bother denying A and B individually if everything is denied anyway?
There is also a disconnection between your westhaunts authentication
test and the westhaunts network IPs.
Simply put IMHO your ACLs should be configured as:
http_access allow manager localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow westhants-network westhant
http_access deny all
If you want particulars about why I'm happy to provide. but it should be
clear if you understand Squid tests http_access lines top-done,
left-to-right on a first line to match wins basis. lines where one ACL
does not match skip to the next immediately.
Amos
Received on Sun May 27 2012 - 10:37:49 MDT
This archive was generated by hypermail 2.2.0 : Sun May 27 2012 - 12:00:04 MDT