On 16/12/2013 11:46 p.m., 0bj3ct wrote:
> btw my squid.conf file:
>
> cache_peer proxy.bankofbaku.com parent 8080 0 default no-query
> login=usr:pswd
>
> acl allow_mac arp "/home/user/Desktop/allow_mac.txt"
> acl spring_url dst 10.xx.xx.xx
>
> never_direct deny spring_url
> never_direct allow all
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access allow spring_url all
The "all" on the above line is useless.
> http_access allow localhost manager
> http_access allow allow_mac
> http_access allow Safe_ports allow_mac
> http_access allow CONNECT SSL_ports allow_mac
> http_access deny manager
> http_access allow localhost
These...
> http_access deny Safe_ports all
> http_access deny CONNECT SSL_ports all
... are security measures designed carefully to protect against spam
relaying, Finger, Echo and IDENT protocol abuse, or tunneling arbitrary
data throughteh proxy without control.
They way you have designed this config makes them have no effect at all.
1) a series of deny lines followed by "deny all" (link below) can be
re-written as just the "deny all" line.
2) the basic security ACL tests should be placed above the allow rules
to avoid allowing some group of clients arbitrary access through the
proxy. eg if any machine in the "allow_mac" set every becomes infected
or hijacked the malware may be able to use your proxy for delivering and
receiving attack traffic to your cache_peer.
> http_access deny all
>
> deny_info http://10.xx.xx.xx8080/SpringUrl all
>
> http_port 3128 intercept
>
> Note: When i remove "intercept" everything works fine..
>
The deny_info line is not an error page, but an HTTP redirection.
What it does is instruct the cleint to request the URL
http://10.xx.xx.xx8080/SpringUrl.
When the browser is explicitly configured to use the proxy it will
simply send a request for that URL to the proxy and things will be
sorted out there by the cache_peer and never_direct directives.
When the browser traffic is being intercepted it will make a request
directly to 10.xx.xx.xx port 8080.
What happens then?
Can it even connect to the 10.* network from where it is?
Amos
Received on Mon Dec 16 2013 - 11:15:39 MST
This archive was generated by hypermail 2.2.0 : Mon Dec 16 2013 - 12:00:06 MST