Hello Chris, Thursday, November 24, 2005, 1:44:34 AM, you wrote: > acl localhost src 127.0.0.1/255.255.255.255 192.168.1.0/255.255.255.255 CR> This is really stretching the definition of "localhost". I've changed the line to : acl localhost src 127.0.0.1/255.255.255.255 >> acl to_localhost dst 127.0.0.0/8 192.168.1.0/255.255.255.255 CR> Same here. Is there really a computer with an IP of 192.168.1.0? and here to acl to_localhost dst 127.0.0.0/8 My server IP is 192.168.1.1, so I thought, late at night, that... >> acl Safe_ports port 12000 #Webmin CR> This line is redundant. Port 12000 is already included in the range 1025-65535. I thought so too, so I removed it. >> acl webmin port 12000 >> acl SSL_ports port 12000 # voir ssl CR> I'd say one or the other, not both... I leave the first one. >> And my HTTP_ACCESS : >> >> http_access allow manager localhost >> http_access deny manager >> http_access allow purge localhost >> http_access deny purge >> >> http_access allow webmin CR> This will allow anyone (even people not on your network) to CR> connect to any server on port 12000 through your cache. CR> Considering that you are on a rfc1918 network, the risk is CR> reduced, but writing secure ACLs is a good habit. I changed the last line to : http_access allow webmin our_network >> http_access allow CONNECT webmin CR> I know I suggested a line similar to this (bad me). It will CR> allow connections (using the CONNECT method) from any client (even CR> not on your network) to any server port 12000 through your cache. Better would be... CR> http_access allow CONNECT webmin our_network CR> ...as that would at least limit the CONNECT method on port 12000 CR> to computers sourcing from your network. Changed it to your suggestion. >> 1132791052.505 11 192.168.1.10 TCP_MISS/200 2269 CONNECT >> 192.168.1.1:12000 - DIRECT/192.168.1.1 - >> 1132791052.584 10 192.168.1.10 TCP_MISS/200 2189 CONNECT >> 192.168.1.1:12000 - DIRECT/192.168.1.1 - CR> This indicates that the connection is proceeding properly. Note CR> the 200 after TCP_MISS? The TCP_MISS just indicates that the CR> connection was via TCP and the resultant data was not in the cache CR> (not a surprise, considering it's encrypted). >> When I open my browser, and I choose Webmin, I get the certificate >> window. Then the error Error - Access denied for 192.168.1.1 CR> Odd. Access denied? That's not shown in the log snippet you CR> have provided. Perhaps this is Webmin preventing access from your CR> cache's IP address. Or it's cached data in your browser... Try CR> clearing your browser cache (or using a different browser) and see if the result is the same. CR> Chris I emptied the cache of my browser, reloaded the configuration of Squid, and still have the same problem :( Error - Access denied for 192.168.1.1 for the browser and 1132858337.208 9 192.168.1.10 TCP_MISS/200 1850 CONNECT 192.168.1.1:12000 - DIRECT/192.168.1.1 - in access.log Here is the new ACLs and HTTP_ACCESS, so it's clearer :) acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl our_network src 192.168.1.0/25 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl webmin port 12000 acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access allow webmin our_network http_access allow CONNECT webmin our_network http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow our_network http_access allow localhost http_access deny all Thanx for your help :) -- Best regards, LeKeiserAmen mailto: LeKeiser@xxxxxxxxxxxx
