On 09/06/11 23:11, kkk kkk wrote:
Hi everyone,
I'm running Squid 3.1 in Interception mode that is set to intercept
traffic to a list of 10 websites.
One security concern I have is that anyone in my ACL can enter my
proxy IP and port in their browser and use it as a regular proxy.
Is there a way to disable this access? If I can disable this access,
You fail to say which NAT infrastructure is being used to intercept.
The Linux intercept examples have been updated to include rules in the
"mangle" netfilter table which provide this protection.
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
If you are using some other form of NAT, nobody has (yet) provided any
extra details about solving this problem.
no one can abuse my service because I can control what dstDomains will
use my proxy.
Your configuration displays that this claim is probably false. see below.
This is my current setup:
acl allowed_IP src IP
http_access allow allowed_IP
Anyone in the allowed_IP list can do anything they like regardless of
domain.
http_access deny all
Only Domains want to allow access:
acl allowed_domains dstdomain
If it's not theoretical possible, how can I write an ACL combo that
only allow "allowed_ip" to access "allowed_domains" instead of
accessing everything once it's allowed?
Access controls in Squid are complete boolean logic language. Anything
that can be described in if-else form can be configured.
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.8 and 3.1.12.2
