On Sun, 6 Feb 2005 johnsuth@xxxxxxxxxxxxx wrote:
I can't speak for other people, but I am using Squid in conjunction with a deny by default firewall to limit access to the www. I see no rules in the standard http_access tag which limit access to destinations.
The last rule, "deny all" looks like it limits access to destinations, but a clever lawyer or computer programmer can deduce that "all" refers to clients, not destinations.
all is defined in your squid.conf. In each and every element in your http_access list is defined in your squid.conf.
The definition of "all" as shipped in the suggested default configuration we are talking about is to match all clients in the whole world.
acl all src 0.0.0.0/0
Getting back to the English (the docs may be different in other languages), you have not suggested why the word "deny" is used in your item 4 when the action is to allow all clients not previously denied.
Here is an exact copy of what the suggested http_access ruleset shipped with Squid looks like, since you seem to have troubled to look it up in squid.conf.default:
#Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks
# And finally deny all other access to this proxy http_access deny all
The definitions of each acl used is found in the section above and looks like:
#Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
Assuming you follow the recommendations things will work exactly the way you ask.
If you decide on remaking the ruleset completely from scratch you must understand the implied inverse default etc, not to mention a good understanding of the top-down logics of http_access.
Regards Henrik
