On 19/09/18 1:31 AM, Dörfler, Andreas wrote: > hey louis, > > thanks for you help and time! > > found the problem, since there are firewalls in between, i forgot check > a specific point, and well, it was one of the firewalls, no wonder it > was driving me nuts. > one of those double facepalm moments once i realized it. > >> And thank you for the music link, something different then the radio here. ;-) > > no problem, was the first random google search result ;-) > >> : acl SSL_ports port 443 >> ## PS in your config you did miss to add the extra SSL_Ports also to the Safe_port. > > na, actualy there are 3 ports configured :D > > >> ## And here you missed the "allow localnet" > > "http_access allow all" makes localnet obsolete, access restrictions are > handled by a firewall. > This statement is false, and very bad security practice. Squid handles HTTP-level access controls. Firewalls handle network-layer access control. Either way multiple layers of security that work together are better than one - in case that one is compromised. ... and by using "allow all" you have explicitly compromised the Squid layer. * HTTP is a multiplexing pipelined protocol. One TCP connection can contain traffic from multiple clients mixed up in arbitrary ways the firewall will never see. * As far as the firewall can be aware all traffic leaving Squid is from *Squid* IP:port's not from the clients. ==> So those details mean any low-privilege client who is trusted just enough to use the proxy gets automatically and *silently* privilege escalated at the firewall to maximum privilege level *any* proxy user is allowed by that firewall. This leaves your network wide open to insider attacks, client hijacking and viral compromised clients. You cannot trust firewall alone unless you have a *full* HTTP proxy built into your firewall to handle the HTTP level control. In which case your squid.conf is missing settings integrating the two proxies. Like the other default rules this "deny all" serves multiple purposes - along with the obvious access control to the network it is about denying "legitimate" clients trying to make Squid do extremely resource consuming things which are not permitted by your policy. Such as flood the internal network with Tbps of traffic, or port-scan services they are not normally allowed access to by the firewall. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users