Correction:
On Tue, May 8, 2018 at 1:35 PM, Alex K <rightkicktech@xxxxxxxxx> wrote:
Hi Amos,On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:On 08/05/18 04:56, Alex K wrote:
> Hi Amos,
>
> On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote:
>
> On 08/05/18 00:24, Alex K wrote:
> > Hi all,
> >
...
> > acl localhost src 192.168.200.1/32 <http://192.168.200.1/32>
>
> 192.168.200.1 is assigned to your lo interface?
>
> Yes, this is the IP of one of the interfaces of the device at the
> network where the users use squid to reach Internet.
>
No, I mean specifically the interface named "lo" which has ::1 and
127.0.0.0/8 assigned by the system. It has some special security
properties like hardware restriction preventing globally routable IPs
being used as dst-IP of packets even routed through it result in rejections.I have not assigned 192.168.200.1 at lo. It is assigned to an interface (eth3 for example). localhost is here misleading. it could say "proxy"
>
> >
> > acl SSL_ports port 443
> > acl Safe_ports port 80
> > acl Safe_ports port 21
> > acl Safe_ports port 443
> > acl Safe_ports port 10080
> > acl Safe_ports port 10443
> > acl SSL method CONNECT
>
> The above can be quite deceptive,
>
> I removed port 21 as I don't think I am using FTP.
>
Sorry, I missed out the last half of that text. I was meaning the "SSL"
ACL definition specifically. CONNECT method is not restricted to SSL
protocol even when all you are doing is intercepting port 443 (think
HTTP/2, WebSockets, QUIC, etc). It would be better to use the provided
CONNECT ACL in place of "SSL" - they are identical in definition and
CONNECT is clearer to see if/when some access control is not as tightly
restricted as "SSL" would make it seem.You mean remove "acl SSL method CONNECT" and leave only "acl CONNECT method CONNECT" ?
Cheers
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
