Re: [squid-users] problems with post/get -- may be ! not sure at all :os from Duane Wessels on 2003-12-15 (squid-users)

From: Duane Wessels <wessels@dont-contact.us>
Date: Mon, 15 Dec 2003 09:55:21 -0700 (MST)

Your access controls are very strange

> acl ACISNETWORK src 10.1.1.0/255.255.255.0
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80
> acl CONNECT method GET POST HEAD CONNECT PUT DELETE

> http_access allow manager localhost
> http_access deny manager
> http_access allow ACISNETWORK

The above allows any request from a client in your ACISNETWORK.
It even allows a user to make a CONNECT request to any port, such
as port 25. That allows Squid to be used as a spam relay, and is
a very bad idea.

The rest of these ACLs apply only to request coming from somewhere
except ACISNETWORK.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Since you rediefined CONNECT to include other methods, the above would
deny a GET request to port 80, for example. Probably not what you want to
do. You should leave the CONNECT acl with only the connect method.

> http_reply_access allow ACISNETWORK
> http_access deny ACISNETWORK

The above line is not necessary because any request that matches ACISNETWORK
was already allowed above and will never reach this point in the rules.

> icp_access deny ACISNETWORK
> http_access deny all
> icp_access deny all

I'm not really sure about your setup, but I think your ACL rules should probably
look like this:

        acl ACISNETWORK src 10.1.1.0/255.255.255.0
        acl all src 0.0.0.0/0.0.0.0
        acl manager proto cache_object
        acl localhost src 127.0.0.1/255.255.255.255
        acl to_localhost dst 127.0.0.0/8
        acl SSL_ports port 443 563
        acl Safe_ports port 80
        acl CONNECT method CONNECT

        http_access allow manager localhost
        http_access deny manager
        http_access deny CONNECT !SSL_ports
        http_access deny !Safe_ports
        http_access allow ACISNETWORK

You may want to add more ports to Safe_ports. If you have users on other networks
(besides ACISNETWORK), you should make another ACL for that network and
allow it also.

Duane W.
Received on Mon Dec 15 2003 - 09:55:21 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:12 MST