Search squid archive

AW: [squid-users] securise squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Try something like this:

acl myclients src 10.1.3.0/255.255.255.0
acl myclients src 10.19.220.0/255.255.255.0
http_access deny !myclients


"myclients" are the allowed clients which may use the proxy.
Use these acl's in front of all other acl's.



Mit freundlichem Gruß/Yours sincerely
Werner Rost
GMT-FIR - Netzwerk
 
ZF Boge Elastmetall GmbH
Friesdorfer Str. 175, 53175 Bonn, Deutschland/Germany
Telefon/Phone +49 228 3825 - 420
Telefax/Fax +49 228 3825 - 398
werner.rost@xxxxxx


>-----Ursprüngliche Nachricht-----
>Von: deny1 [mailto:deny1@xxxxxxx] 
>Gesendet: Mittwoch, 16. März 2005 10:56
>An: squid-users@xxxxxxxxxxxxxxx
>Betreff: [squid-users] securise squid
>
>
>good morning
>
>a nessus scan give this about my squid :
>Warning found on port squid-http (3128/tcp)
>
>
>   The misconfigured proxy accepts requests coming
>   from anywhere. This allows attackers to gain some anonymity when 
>browsing
>   some sensitive sites using your proxy, making the remote 
>sites think 
>that
>   the requests come from your network.
>
>   Solution: Reconfigure the remote proxy so that it only 
>accepts requests
>    coming
>   from inside your network.
>
>
>i see squid.conf and find this :
>
>#Recommended minimum configuration:
>acl all src 0.0.0.0/0.0.0.0
>acl manager proto cache_object
>acl localdomain src 192.168.0.0/255.255.255.0
>acl to_localhost dst 127.0.0.0/8
>acl SSL_ports port 443 563
>acl Safe_ports port 80
>acl Safe_ports port 21
>acl Safe_ports port 443 563
>acl Safe_ports port 70
>acl Safe_ports port 210
>acl Safe_ports port 1025-65535
>acl Safe_ports port 280
>acl Safe_ports port 488
>acl Safe_ports port 591
>acl Safe_ports port 777
>acl CONNECT method CONNECT
>
>auth_param basic program /usr/lib/squid/ncsa_auth 
>/usr/local/squid/users auth_param basic children 5 auth_param 
>basic realm Squid proxy-caching web server auth_param basic 
>credentialsttl 24 hour
>
>acl eth0 src 192.168.0.0/255.255.255.0
>acl users proxy_auth REQUIRED
>
>http_access allow eth0 users
>
># Only allow cachemgr access from localhost
>http_access allow manager localdomain
>http_access allow localdomain
># Deny requests to unknown ports
>http_access deny manager
># Deny CONNECT to other than SSL ports
>http_access deny !Safe_ports
>http_access deny CONNECT !SSL_ports
>
>
>
>http_access deny to_localhost
>
>
>
>another lines to add or uncomment to avoid this nessus message ? thanks
>
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux