On 02.01.18 09:06, Alex Rousskov wrote:
On 01/02/2018 07:08 AM, Matus UHLAR - fantomas wrote:
On 02.01.18 06:04, squidnoob wrote:
http_access allow CONNECT safe_ports
http_access deny CONNECT
the two lines above unconditionally allow CONNECT anywhere,
This is incorrect. The lines deny CONNECT to unsafe ports.
You miss something.
Those lines unconditionally allow CONNECT requests to safe ports ANYWHERE,
which is apparently not what was wanted/expected.
the first line ALLOWS all CONNECT requests to safe ports in the way they
CAN NOT BE DISABLED later.
the second line denies connect to unsafe ports.
the difference between lines above and the following one:
http_access deny CONNECT !safe_ports
is, that in this case you can deny the connect request later, unlike the
previous example, where the CONNECT was allowed and further checks are done.
However, what Amos proposed and what is in the default config is:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
which denies all access to unsafe ports, and denies CONNECT to non-SSL
ports, but does not allow access anywhere, so it must be allowed further.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
