On Mon, 7 Feb 2005 johnsuth@xxxxxxxxxxxxx wrote:
In Squid 2.5.s8_OS2_VAC my squid.conf included this example from FAQ 10.11 acl xxx dst 0.0.0.0/0.0.0.0 http_access deny xxx
However, web pages not previously allowed in the sequence of rules, were nevertheless allowed to be served from cache, contrary to my wishes.
I understand that if I accept free software, then I am a beta tester.
You are defenitely not a beta tester by accepting to use free software.
If you accept to use snapshot or development versions then you are a beta tester.
I suppose the Squid community takes no responsibility for the integrity of any specific build of Squid.
The Squid developers take no responsibility for the suitability of Squid for any purpose, but neither does any of the commercial software providers ;-)
Seriously, we to take Squid very seriously.
# TAG: http_access #Recommended minimum configuration: http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny to_localhost http_access allow government http_access allow education http_access allow google http_access allow acenet http_access allow localnet http_access deny ip http_access deny http http_access allow www
I would recommend you to read the "Squid FAQ 10.1 Access Controls - Introduction" for an description of how the http_access directive works.
The above http_access rule list is most certainly not what you intended as it allows:
- the whole world is given access to government, education, google and acenet via your proxy
- localnet access to anything
- everything else not listed above is denied access by the ip rule (ie. the whole world except your localnet is denied to go to any sites not listed above)
- and the two last rules (http, www) can never be reached as the "deny ip" rule has already catched everything.
Regards Henrik
