On Mon, 9 May 2011 23:24:50 -0400, Carlos Manuel Trepeu Pupo wrote:
2011/5/9 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On Mon, 9 May 2011 13:07:50 -0400, Carlos Manuel Trepeu Pupo wrote:
Hi, I'm now using deny_info to personalize the error pages. I have
installed Squid 3.0 STABLE1 (I know it's an old version). Here is
an
So why for the sake of 6 *major* security vulnerabilities did you do
that?
http://www.squid-cache.org/Advisories
I'm making test for all the new thing I will implement, so, when all
work fine I'll make the change !!!
There is a deep problem with that approach... Squid changes over time.
Both in capabilities and in problems present.
You are extremely likely to hit problems with 3.0.STABLE1 which are
resolved years ago (these security vulnerabilities just being the worst
nasty ones), and face completely new problems with the newer version.
Please pick the version you are going to roll out and test for problems
with *that* version.
If your testing and QA takes a long time, all the more reason to pick
a very recent release when you start the process. It will age as you go,
we are more likely to fix problems fast and sometimes can lend
assistance to get it more stable by the time your testing completes.
Saving you time spent "fixing" a problem only to be told it was fixed
already in some version months ago.
example of my squid.conf:
acl ext url_regex -i \.exe$
acl ip src 192.168.10.10
acl max maxconn 1
http_access deny ip ext max
# I already create the page in the directory's errors pages.
deny_info ERR_EXT_PAGE max
http_access allow !maxconn
The problem is that the page that show me it the default of denied
and
not the mine. What's wrong and how could I fixed ?
Are you sure its being denied by "deny ip ext max"?
yes that's the unique http_access that work with this acl.
I mean is the cache.log level "debug_options 28,9" is saying there was
a match on that line? (it will also tell you what deny_info it loaded).
I make a few test and this is the result:
#THIS NOT WORK
acl ext url_regex -i \.exe$
acl ip src 192.168.10.10
acl max maxconn 1
http_access deny ip ext max
# I already create the page in the directory's errors pages.
deny_info ERR_EXT_PAGE max
http_access allow !max
#THIS WORK
acl ext url_regex -i \.exe$
acl ip src 192.168.10.10
acl max maxconn 1
http_access deny max
# I already create the page in the directory's errors pages.
deny_info ERR_EXT_PAGE max
http_access allow !max
The difference it's that the "http_access deny" only have an argument
my ACL, but if I combine it, then do not show me the PAGE that I
created. There any way to solve that?
Either the test URL does not end with ".exe" or the IP address making
TCP connection to Squid is not 192.168.10.10.
maxconn is linked to the individual IP making the request, so you don't
have to specify that unless you want it to only limit certain sources.
Amos
