On 15.10.2014 08:13, Amos Jeffries wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And the key difference in these configs is not the ACL contents, but the ordering in which they are matched. Mirzas' config starts by telling Squid everything on the LAN/localnet is allowed. Ok, fine, Squid will do that. Walters' config will tell Squid a limited set of things to allow, then some things to deny, then implicitly allow everything else [1][2]. Whichever rule actually matches the FB requests will be applied by Squid, with a limited set of initial allow/bypass the likelihood that a deny following will match is higher. [1] this is not a great situation, because any remote attack which can figure out a way past your regex ACLs can use the proxy for whatever they please[2]. [2] I hope you just omitted the localnet ACL checks which should follow the ones you showed. Amos
Yes I omitted this: acl localnet src 192.168.0.0/16 on top of squid.conf and http_access allow localnet http_access allow localhost below the listed ACL rules; Walter
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
