On 08/05/18 04:56, Alex K wrote: > Hi Amos, > > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote: > > On 08/05/18 00:24, Alex K wrote: > > Hi all, > > ... > > acl localhost src 192.168.200.1/32 <http://192.168.200.1/32> > > 192.168.200.1 is assigned to your lo interface? > > Yes, this is the IP of one of the interfaces of the device at the > network where the users use squid to reach Internet. > No, I mean specifically the interface named "lo" which has ::1 and 127.0.0.0/8 assigned by the system. It has some special security properties like hardware restriction preventing globally routable IPs being used as dst-IP of packets even routed through it result in rejections. > > > > > acl SSL_ports port 443 > > acl Safe_ports port 80 > > acl Safe_ports port 21 > > acl Safe_ports port 443 > > acl Safe_ports port 10080 > > acl Safe_ports port 10443 > > acl SSL method CONNECT > > The above can be quite deceptive, > > I removed port 21 as I don't think I am using FTP. > Sorry, I missed out the last half of that text. I was meaning the "SSL" ACL definition specifically. CONNECT method is not restricted to SSL protocol even when all you are doing is intercepting port 443 (think HTTP/2, WebSockets, QUIC, etc). It would be better to use the provided CONNECT ACL in place of "SSL" - they are identical in definition and CONNECT is clearer to see if/when some access control is not as tightly restricted as "SSL" would make it seem. Cheers Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
