Search squid archive

Re: Squid configuration sanity check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi again,

With this config I get:

ERROR: No forward-proxy ports configured.

I am wondering if I could just add a dummy entry:

http_port 3130

to suppress this error.

But not sure how this is useful when reading:

https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts

Alex

On Tue, May 8, 2018 at 7:49 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 08/05/18 22:36, Alex K wrote:
> Correction:
>
> On Tue, May 8, 2018 at 1:35 PM, Alex K wrote:
>
>     Hi Amos,
>
>     On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries wrote:
>
>         On 08/05/18 04:56, Alex K wrote:
>         > Hi Amos,
>         >
>         > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote:
>         >
>         >     On 08/05/18 00:24, Alex K wrote:
>         >     > Hi all,
>         >     >
>         ...
>         >     > acl localhost src 192.168.200.1/32
>         >
>         >     192.168.200.1 is assigned to your lo interface?
>         >
>         > Yes, this is the IP of one of the interfaces of the device at the
>         > network where the users use squid to reach Internet. 
>         >
>
>         No, I mean specifically the interface named "lo" which has ::1 and
>         127.0.0.0/8 assigned by the system. It has
>         some special security
>         properties like hardware restriction preventing globally
>         routable IPs
>         being used as dst-IP of packets even routed through it result in
>         rejections.
>
>     I have not assigned 192.168.200.1 at lo. It is assigned to an
>     interface (eth3 for example). localhost is here misleading. it could
>     say "proxy"

Yes, it should be different. "localhost" ACL is used for some defaults.
What you are doing here is adding 192.168.200.1 to the ::! etc
definition of the predefined localhost ACL.


>
>         >
>         >     >
>         >     > acl SSL_ports port 443
>         >     > acl Safe_ports port 80
>         >     > acl Safe_ports port 21
>         >     > acl Safe_ports port 443
>         >     > acl Safe_ports port 10080
>         >     > acl Safe_ports port 10443
>         >     > acl SSL method CONNECT
>         >
>         >     The above can be quite deceptive,
>         >
>         > I removed port 21 as I don't think I am using FTP.
>         >  
>
>         Sorry, I missed out the last half of that text. I was meaning
>         the "SSL"
>         ACL definition specifically. CONNECT method is not restricted to SSL
>         protocol even when all you are doing is intercepting port 443 (think
>         HTTP/2, WebSockets, QUIC, etc). It would be better to use the
>         provided
>         CONNECT ACL in place of "SSL" - they are identical in definition and
>         CONNECT is clearer to see if/when some access control is not as
>         tightly
>         restricted as "SSL" would make it seem. 
>
>     You mean remove  "acl SSL method CONNECT" and leave only "acl
>     CONNECT method CONNECT" ?
>

Yes. Exactly so.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux