Amos Jeffries wrote:
* To allow anyone in to view http from the internet:-
#http_access deny all
http_access allow all
Eeek. No, no , no.
The config was clear. Setup an ACL listing the domains you are hosting.
Permit access to just them not the rest of the Internet via your proxy.
The recommended config makes Squid act as a partial firewall for attack
requests. With 'http_access allow all' your backend will be wide open to
any faked domain lookup designed to hog resources and DoS you.
I've read this wrong then. With the config:-
http_access allow manager localhost
http_access allow localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
# And finally deny all other access to this proxy
#http_access deny all
http_access allow all
cache_peer 127.0.0.2 parent 80 0 no-query originserver name=ApacheLocal
cache_peer 127.0.0.3 parent 80 0 no-query originserver name=IISLocal
cache_peer 127.0.0.4 parent 80 0 no-query originserver name=IISLocalBugs
cache_peer 192.168.1.100 parent 80 0 no-query originserver
name=ApacheDebian
cache_peer_domain IISLocalBugs test.domain.com
cache_peer_domain ApacheDebian test2.domain.com
acl iis_bugs_sites dstdomain test.domain.com
acl apache_debian_sites dstdomain test2.domain.com
http_access allow iis_bugs_sites
http_access allow apache_debian_sites
cache_peer_access ApacheLocal deny all
cache_peer_access IISLocal deny all
cache_peer_access IISLocalBugs allow iis_bugs_sites
cache_peer_access IISLocalBugs deny all
cache_peer_access ApacheDebian allow apache_debian_sites
cache_peer_access ApacheDebian deny all
Hmmm... In writing this out I think I've figured the problem. The
http_access deny all was about the later http_access allow for the
domains. I'll test it out, but doing this post for prosperity.
Lyle
