Search squid archive

Re: ACLs and localhost

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



paul cooper wrote:
4 users , 1 machine, with squid running and a GUI



Im having problems getting the time-based ACLs sorted. To test it ive
added a sat/sun ACL which should allow access between 08:00 and 10:00



Your time ACL appears to be working. It's your usage of http_access thats screwing things up. Check the lines saying "request ALLOWED because it matched".


 Config 1

hepworth emma # cat /etc/squid/squid.conf |grep ^acl
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 22 # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl andrew proxy_auth REQUIRED
acl emma proxy_auth REQUIRED
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl weekends time SA 08:00-10:00
acl beforeschool  time MTWHF 07:30-09:00
acl afterschool  time  MTWHF 16:00-20:00
hepworth emma # cat /etc/squid/squid.conf |grep  ^http
http_port 3128
http_access allow emma weekends
	- fails on first test sequence
	- allow request on second sequence
http_access allow Safe_ports
	- allow request on first sequence
	- never reached on second
http_access allow andrew
	- never reached
http_access deny localhost
	- never reached
http_access deny all
	- never reached.


it asks me for a login (emma) and  then gives access

<snip>
2008/03/23 16:05:44| The request GET http://grolma.no-ip.org/ is DENIED,
because it matched 'emma'

... bounce for login.

<snip>

2008/03/23 16:05:50| The request GET http://grolma.no-ip.org/ is ALLOWED,
because it matched 'Safe_ports'

... bingo!



so i negate the time , and it still gives me access

hepworth emma # cat /etc/squid/squid.conf |grep ^http
http_port 3128
http_access allow emma !weekends
http_access allow Safe_ports
http_access allow andrew
http_access deny localhost
http_access deny all
hepworth emma #
<snip>
2008/03/23 16:10:41| The request GET http://grolma.no-ip.org/ is DENIED,
because it matched 'emma'

... bounce for login again.

<snip>
2008/03/23 16:10:47| The request GET http://grolma.no-ip.org/ is ALLOWED,
because it matched 'weekends'

... boing!
<snip>


so i try denying emma and it gives me access without asking for a username

hepworth emma # cat /etc/squid/squid.conf |grep ^http
http_port 3128
http_access allow Safe_ports
	- accepts all port 80 requests.
http_access allow andrew
	- never reached
http_access deny localhost
	- never reached
http_access deny emma
	- never reached
http_access deny all
	- never reached
hepworth emma #

<snip>
2008/03/23 16:14:32| The request GET http://grolma.no-ip.org/ is ALLOWED,
because it matched 'Safe_ports'

.. bingo! on the first line.

<snip>


I think its giving me access from localhost.
Ive commented out  all the  default localhost configs and added http_acess
deny localhost but its not stopping it
How do i configure this ?



Drop the global access to Safe_ports. And I do mean GLOBAL. You have an open-proxy on your hands.

It's best to use:
	http_access deny !Safe_ports

to only use Safe_ports for blocking unsafe port usage.

Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux