On 21.05.2012 15:19, Ali Esf wrote:
hello dear Amos
according to your reply to my last email i change the configuration
of the squid to the following:
we need authentication only by user name password over wan and do not
need any proxy access from lan.
is it a good configuration?
That is okay. I was just checking you were aware of and wanted it.
The new config you show seems to have dropped that policy and moved to
authenticating everyone.
The problem was with the "allow all" at the end of the http_access
config. You fixed that now.
NOTE: You dropped the CONNECT safety rule.
what do you mean by this statement?
is it possible to explain it?
The default config supplies a line, which you are still missing from
your config:
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_Ports
What that does is prevent clients pushing anonymous binary tunnels
through your Squid to any port they want.
Allowing CONNECT tunnels is a major problem, since it does not have to
be done with your clients knowledge. It is very much the same as
configuring your networks border firewall with "Allow all". It can be
abused by malware installed on the client machines or even just a
malicious javascript running in a web advert.
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
# We strongly recommend the following be uncommented to protect
innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP
networks
# from where browsing should be allowed
http_access allow user_pass_auth
http_access deny all
access_log none
cache_store_log none
cache_log /dev/null
This is not good. Squid requires a cache_log file for critical error
messages.
If you can, run squid as "debug_options ALL,1" and fix the warnings so
there are no messages. Warnings at level 1 are problems which affect the
client experience in a bad way, but do not cause fatal problems to
Squid.
Or set "debug_options ALL,0" to limit Squid to only producing critical
errors. The messages appearing at level 0 once Squid is operating are
often the only sign you have about why squid is crashing. They *need* to
be fixed, ASAP.
Amos
