On 20/08/17 14:38, Diogenes S. Jesus wrote:>
* squid.conf:
-----------------------
acl localhost src 127.0.0.0/8 <http://127.0.0.0/8>
acl localnet src 192.168.100.0/24 <http://192.168.100.0/24>
192.168.101.0/24 <http://192.168.101.0/24> 172.16.0.0/12
<http://172.16.0.0/12>
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 443# https
acl CONNECT method CONNECT
http_access allow localhost localnet
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
Those http_access rules contain an impossible condition.
The src-IP cannot simultaneously be having a value in the 127/8 network
range *and* in one of the RFC1918 ranges. So there is no way anything is
ever allowed to use this proxy.
I suspect it was working due to a recently fixed bug where the CONNECT
message was not consistently passed through http_access controls
sometimes in the first SSL-Bump step. Do not expect that to work much
longer.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
