[squid-users] Webpages won't load or load slowly

Thu Jan 29 14:21:39 UTC 2015

On 30/01/2015 2:49 a.m., Rich549 wrote:
> Yuri Voinov wrote
>> And your access rules looks skew:
>>
>> http_access deny BlacklistedSites StoresAllow
>> http_access allow OK_Unauthenticated
>> http_access allow StaticIPWhitelist
>> http_access allow InetAllow
>> http_access allow StoresAllow
>>

NP: He has the above rules instead of a localnet acess permission.

The worst part though is that since the above does not deny invalid user
credentials the following two lines...

>>
>> http_access allow ftp
>> http_access allow CONNECT Safe_ports

... effectively make the proxy an open relay for any type of abuse
anybody on the Internet wants to spew through it.

>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports

The above basic security checks are shuffled down here almost to the
end, which makes them almost ineffective...

>> http_access deny all

... then a deny all" which makes the security checks not only
ineffective but do nothing that would not have happened anyway. ie useless.

>> http_reply_access allow all
>>
>> Where is allow rule for internal networks?
>>
>> Something like:
>>
>> http_access allow localnet
>>
>> ?
> 
> We can access all of our local sites ok, is this required?

I reckon its a close call as to whether I could as well, using your
proxy. Just hinges on whether a TCP connection can be made from outside
your network to your Squid listening port.

To avoid that risk, order your http_access rules like this:

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

 http_access deny BlacklistedSites StoresAllow

 http_access allow OK_Unauthenticated
 http_access allow StaticIPWhitelist

 acl login proxy_auth REQUIRED
 http_access deny !login

 http_access allow InetAllow
 http_access allow StoresAllow

 http_access allow localhost manager
 http_access deny all

Notice particularly how I moved the basic security checks up top again,
and erased the "allow ftp" and "allow CONNECT" lines.

The extra auth check is to catch and reject invalid login attempts
quickly without involving the external ACL helpers. It also helps with
some external ACL bugs we see had in some of the older versions.

If you encounter problems with people making legitimate CONNECT requests
to services with ports other than 443, please fix that by just adding
the ports to SSL_Ports ACL instead of moving the CONNECT security rule
around.
 That way they are still controlled by your auth, whitelist, and
blacklist policies.

> Any ideas about my original problem too? Or would updating to the latest
> version be the fix for that?

The current releases are faster, they also have fixed a bug in the
handling of CONNECT requests which is triggered by modern web protocols
like HTTP/2, SPDY, and Websockets. Any one of which those websites you
listed may be attempting to use and failing on a timeout before getting
through with HTTP/1.

Amos