Re: [squid-users] Port allow question

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 14 Dec 2012 14:26:28 +1300

On 14/12/2012 11:53 a.m., Paras pradhan wrote:
> Hi,
>
> I have 0-65536 in safe ports and it is allowed.
>
> acl Safe_ports port 0-65535
> http_access deny !Safe_ports

This is not an ALLOWED. This is a not-DENIED otherwise known as "check
next rule".

NP: there are a number of ports between 0-1024 range which are seriously
risky to permit HTTP connections to. The SMTP and FTP ports for example.

>
>
>
> But I am seeing this in access.log.
>
> --
> 1355433138.267 0 192.168.0.2 TCP_DENIED/403 3413 CONNECT
> 192.168.0.2:35357 - NONE/- text/html
> --
>
> How do we allow 35357?

This is a CONNECT request. So "acl SSL_Ports port 35357" should do it.
But consider carefully why the client needs a binary tunnel opened to
that destination, and whether letting it is a good idea.

Amos
Received on Fri Dec 14 2012 - 01:26:35 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 14 2012 - 12:00:04 MST