Search squid archive

Re: How to disable Regular Proxy Access under Interception Mode?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/06/11 23:11, kkk kkk wrote:
Hi everyone,

I'm running Squid 3.1 in Interception mode that is set to intercept
traffic to a list of 10 websites.
One security concern I have is that anyone in my ACL can enter my
proxy IP and port in their browser and use it as a regular proxy.

Is there a way to disable this access? If I can disable this access,

You fail to say which NAT infrastructure is being used to intercept.

The Linux intercept examples have been updated to include rules in the "mangle" netfilter table which provide this protection.
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

If you are using some other form of NAT, nobody has (yet) provided any extra details about solving this problem.

no one can abuse my service because I can control what dstDomains will
use my proxy.

Your configuration displays that this claim is probably false. see below.


This is my current setup:

acl allowed_IP src IP
http_access allow allowed_IP

Anyone in the allowed_IP list can do anything they like regardless of domain.

http_access deny all


Only Domains want to allow access:
acl allowed_domains dstdomain


If it's not theoretical possible, how can I write an ACL combo that
only allow "allowed_ip" to access "allowed_domains" instead of
accessing everything once it's allowed?

Access controls in Squid are complete boolean logic language. Anything that can be described in if-else form can be configured.
  http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.8 and 3.1.12.2


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux