On 22/05/2015 10:35 p.m., Silvio Siefke wrote: > On Fri, 22 May 2015 15:39:19 +1200 Amos Jeffries wrote: > >> I dont know why you should have to. ziproxy should be perfectly >> capable of contacting Internet services to respond to the requests >> sent from Squid. > > Yes it works but im not sure is right, when NextProxy in ziproxy.conf > is not set. When saw the log all work, but in all tutorials which read > they say ziproxy.conf need set NextProxy="127.0.0.1" for "routing" back > to squid. But so it work all without NextProxy. What is now correct? > Without NextProxy is correct if ziproxy is on the "outside" of Squid. Like so: client -> Squid -> ziproxy -> Internet If you set ziproxy to pass *requests* to Squid, the traffic will enter a loop: client -> Squid -> ziproxy -> Squid -> ziproxy -> ... Via header would have protected against that loop by aborting the traffic. But you disabled via. So the only thing preventing your setup DoS'ing itself by consuming all available TCP ports on the mahine is that login popup. Ouch. > >> I am not quite understanding what you are talking about auth for. So >> can't answer that question. Hopefully the above answer is enough to >> solve your problem though. > > Squid use auth for connecting with it, when i has activated NextProxy in > ziproxy.conf then Browser ask and ask for login stuff. When not activated > NextProxy in ziproxy.conf then one time come login window and after login > all work. But what is now right, set NextProxy or not. But self when set > NextProxy in ziproxy.conf then squid can not ask for login to ziproxy, cause > localhost has free traffic or not? In your squid.conf all traffic requires authenticating. Nothing is allowed through without it. Although anything from localhost is allowed to send wrong credentials and get through :-( . Your rules: > > # http access > http_access allow checkpw all > http_access allow localhost manager > http_access deny manager > http_access allow localhost > http_access deny ads > http_access deny all - "deny ads" is not useful like this, anything getting to that check will also be blocked by the "deny all" which follows it and is a faster check. - also missing the basic HTTP abuse and DoS security protections. To let localhost I would write them like this: # basic security potections. # To let special ports through; check carefully its not abuse # then adjust Safe_ports and SSL_ports appropriately http_access deny !Safe_ports http_access deny CONNECT !SSL_Ports # To use the deny ads ACL it would go here in the ordering, # before the allow rules. http_access deny ads # localhost does not require authentication http_access allow localhost # manager access only permitted from localhost http_access deny !localhost manager # anyone with a valid auth credentials is allowed http_access allow checkpw http_access deny all You will need to re-add the CONNECT, Safe_ports and SSL_Ports ACL definitions from the default config. You dont really need to exempt localhost from authentication. But that is your choice. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
