On 30/01/2015 2:49 a.m., Rich549 wrote: > Yuri Voinov wrote >> And your access rules looks skew: >> >> http_access deny BlacklistedSites StoresAllow >> http_access allow OK_Unauthenticated >> http_access allow StaticIPWhitelist >> http_access allow InetAllow >> http_access allow StoresAllow >> NP: He has the above rules instead of a localnet acess permission. The worst part though is that since the above does not deny invalid user credentials the following two lines... >> >> http_access allow ftp >> http_access allow CONNECT Safe_ports ... effectively make the proxy an open relay for any type of abuse anybody on the Internet wants to spew through it. >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports The above basic security checks are shuffled down here almost to the end, which makes them almost ineffective... >> http_access deny all ... then a deny all" which makes the security checks not only ineffective but do nothing that would not have happened anyway. ie useless. >> http_reply_access allow all >> >> Where is allow rule for internal networks? >> >> Something like: >> >> http_access allow localnet >> >> ? > > We can access all of our local sites ok, is this required? I reckon its a close call as to whether I could as well, using your proxy. Just hinges on whether a TCP connection can be made from outside your network to your Squid listening port. To avoid that risk, order your http_access rules like this: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny BlacklistedSites StoresAllow http_access allow OK_Unauthenticated http_access allow StaticIPWhitelist acl login proxy_auth REQUIRED http_access deny !login http_access allow InetAllow http_access allow StoresAllow http_access allow localhost manager http_access deny all Notice particularly how I moved the basic security checks up top again, and erased the "allow ftp" and "allow CONNECT" lines. The extra auth check is to catch and reject invalid login attempts quickly without involving the external ACL helpers. It also helps with some external ACL bugs we see had in some of the older versions. If you encounter problems with people making legitimate CONNECT requests to services with ports other than 443, please fix that by just adding the ports to SSL_Ports ACL instead of moving the CONNECT security rule around. That way they are still controlled by your auth, whitelist, and blacklist policies. > Any ideas about my original problem too? Or would updating to the latest > version be the fix for that? The current releases are faster, they also have fixed a bug in the handling of CONNECT requests which is triggered by modern web protocols like HTTP/2, SPDY, and Websockets. Any one of which those websites you listed may be attempting to use and failing on a timeout before getting through with HTTP/1. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
