[squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?
Walter H.
Walter.H at mathemainzel.info
Wed Oct 15 06:46:44 UTC 2014
On 15.10.2014 08:13, Amos Jeffries wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> And the key difference in these configs is not the ACL contents, but
> the ordering in which they are matched.
>
> Mirzas' config starts by telling Squid everything on the LAN/localnet
> is allowed. Ok, fine, Squid will do that.
>
> Walters' config will tell Squid a limited set of things to allow, then
> some things to deny, then implicitly allow everything else [1][2].
> Whichever rule actually matches the FB requests will be applied by
> Squid, with a limited set of initial allow/bypass the likelihood that
> a deny following will match is higher.
>
>
> [1] this is not a great situation, because any remote attack which can
> figure out a way past your regex ACLs can use the proxy for whatever
> they please[2].
>
> [2] I hope you just omitted the localnet ACL checks which should
> follow the ones you showed.
>
> Amos
Yes I omitted this:
acl localnet src 192.168.0.0/16
on top of squid.conf and
http_access allow localnet
http_access allow localhost
below the listed ACL rules;
Walter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5971 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141015/50976789/attachment-0001.bin>
More information about the squid-users
mailing list