Search squid archive

Re: ACL why does this not work?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 05/01/2015 01:25 AM, Amos Jeffries wrote:

On 1/05/2015 11:56 a.m., Yan Seiner wrote:

I am trying to prevent squid from proxying to an authorized subnet.

I want to write a set of acl rules that say that if a request does not
come from the authorized subnet then it should not be allowed to connect
to the authorized web server.

acl auth_net src 192.168.4.0/24
acl auth dst 192.168.4.1
http_access deny !auth_net auth

AFAICT something like the above should work but it doesn't.  squid
proxies requests from anywhere on the network to the authorized
webserver, getting right around the firewall.

Any suggestions on how to make this work?

You either got the order wrong
(<http://wiki.squid-cache.org/SquidFaq/OrderIsImportant>) or the DNS
results are not what you think they are.

We cant really say without knowing what your whole config is.

Amos


Hi Amos:

Here's my config; it's pretty basic.
I have 4 subnets: dmz, auth, guest, and tenant. Only the auth subnet should be allowed access to the webserver on 192.168.4.1. The web server does not listen on any of the other subnets. 

cache_mem 3072 MB

acl dmz_net src 192.168.3.0/24
acl auth_net src 192.168.4.0/24
acl guest_net src 192.168.5.0/24
acl tenant_net src 192.168.6.0/24

acl dmz dst 192.168.3.1
acl auth dst 192.168.4.1
acl guest dst 192.168.5.1
acl tenant dst 192.168.6.1

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl ssl_ports port 443

acl safe_ports port 80
acl safe_ports port 21
acl safe_ports port 443
acl safe_ports port 70
acl safe_ports port 210
acl safe_ports port 1025-65535
acl safe_ports port 280
acl safe_ports port 488
acl safe_ports port 591
acl safe_ports port 777
acl connect method connect

http_access deny !auth_net auth

http_access deny !safe_ports
http_access deny connect !ssl_ports

http_access allow localhost manager
http_access deny manager

http_access deny to_localhost

http_access allow localnet
http_access allow localhost

http_access deny all

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log none
cache_log /dev/null
cache_store_log /dev/null
logfile_rotate 0

logfile_daemon /dev/null

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux