On 6/12/2011 11:04 p.m., J. Webster wrote:
http_access deny manager
http_access allow ncsa_users
So all logged in users have unlimited access?
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny maxuser
These deny rules are placed below the allow rule letting ALL logged in
users through.
This means that for all machines on the Internet which can supply one
of your users insecure plain-text logins:
* the safe_ports rule preventing viral and P2P abuse relaying through
Squid has no effect
* the CONNECT rule preventing blind binary tunneling of data to any
protocol port through Squid has no effect.
* you maxuser policy has no effect.
So, I should apply the deny rules above the allow ncsa_users line?
eg
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny maxuser
http_access deny manager
http_access allow ncsa_users
Yes.
Although in the case of maxuser, that needs auth credentials to operate.
It may trigger auth itself, but if not make that line "deny ncsa_users
maxuser".
http_access allow localhost
http_access deny all
icp_access allow all
http_port 8080
http_port xx.xx.xx.xx:80
And what are you expecting to arrive over port 80?
That port is reserved for reverse-proxy and origin server traffic.
I have squid listening on port 80 and 8080 because some clients cannot connect on port 8080
Ah, okay fair enough.
visible_hostname MyNameProxyServer
Funny domain name. I hope that is obfuscated for the post not in the
config.
This is the domain name used in URLs your clients get told to use for
Squid error and FTP page icons. If it does not resolve back to this or
another Squid your clients will be facing page load problems on those
generated responses.
I thought this was just the name presented to the users when they logged on.
If it is meant to be a domain name should it be:
visible_hostname www.mynameproxyserver.com
?
Yes it is used in URLs.
Ideally Squid will auto-detect the boxes FQDN hostname and you don't
need to set it explicitly. But for Squid will do DNS verification that
the apparent hostname resolves before using it. So if the hostname has
no DNS entry it needs setting.
Amos
