Hi Amos,
On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 08/05/18 04:56, Alex K wrote:
> Hi Amos,
>
> On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote:
>
> On 08/05/18 00:24, Alex K wrote:
> > Hi all,
> >
...
> > acl localhost src 192.168.200.1/32 <http://192.168.200.1/32>
>
> 192.168.200.1 is assigned to your lo interface?
>
> Yes, this is the IP of one of the interfaces of the device at the
> network where the users use squid to reach Internet.
>
No, I mean specifically the interface named "lo" which has ::1 and
127.0.0.0/8 assigned by the system. It has some special security
properties like hardware restriction preventing globally routable IPs
being used as dst-IP of packets even routed through it result in rejections.
I have not assigned 192.168.200.1 at lo. It is assigned to an interface (eth3 for example). localhost is here misleading. it could say "proxy"
>
> >
> > acl SSL_ports port 443
> > acl Safe_ports port 80
> > acl Safe_ports port 21
> > acl Safe_ports port 443
> > acl Safe_ports port 10080
> > acl Safe_ports port 10443
> > acl SSL method CONNECT
>
> The above can be quite deceptive,
>
> I removed port 21 as I don't think I am using FTP.
>
Sorry, I missed out the last half of that text. I was meaning the "SSL"
ACL definition specifically. CONNECT method is not restricted to SSL
protocol even when all you are doing is intercepting port 443 (think
HTTP/2, WebSockets, QUIC, etc). It would be better to use the provided
CONNECT ACL in place of "SSL" - they are identical in definition and
CONNECT is clearer to see if/when some access control is not as tightly
restricted as "SSL" would make it seem.
You mean remove "acl CONNECT method CONNECT" and leave only "acl CONNECT method CONNECT" ?
Cheers
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users