[squid-users] ACL why does this not work?

Amos Jeffries squid3 at treenet.co.nz
Fri May 1 15:57:36 UTC 2015 

On 2/05/2015 1:33 a.m., Yan Seiner wrote:
> 
> On 05/01/2015 01:25 AM, Amos Jeffries wrote:
>> On 1/05/2015 11:56 a.m., Yan Seiner wrote:
>>> I am trying to prevent squid from proxying to an authorized subnet.
>>>
>>> I want to write a set of acl rules that say that if a request does not
>>> come from the authorized subnet then it should not be allowed to connect
>>> to the authorized web server.
>>>
>>> acl auth_net src 192.168.4.0/24
>>> acl auth dst 192.168.4.1
>>> http_access deny !auth_net auth
>>>
>>> AFAICT something like the above should work but it doesn't.  squid
>>> proxies requests from anywhere on the network to the authorized
>>> webserver, getting right around the firewall.
>>>
>>> Any suggestions on how to make this work?
>> You either got the order wrong
>> (<http://wiki.squid-cache.org/SquidFaq/OrderIsImportant>) or the DNS
>> results are not what you think they are.
>>
>> We cant really say without knowing what your whole config is.
>>
>> Amos
> 
> Hi Amos:
> 
> Here's my config; it's pretty basic.
> 
> I have 4 subnets: dmz, auth, guest, and tenant.  Only the auth subnet
> should be allowed access to the webserver on 192.168.4.1. The web server
> does not listen on any of the other subnets.

Where the server listens is only relevant if the clients are talking
directly to it. When they go through the proxy its the proxy talking to
the server.

Still, what you have configured below does define the policy correctly.


Two things to do:

1) enable access.log and see what gets logged when you test it.

2) configure "debug_options 28,3" and see what shows up in cache.log
when you test it.

Some more notes below...

> 
> cache_mem 3072 MB
> 
> acl dmz_net src 192.168.3.0/24
> acl auth_net src 192.168.4.0/24
> acl guest_net src 192.168.5.0/24
> acl tenant_net src 192.168.6.0/24
> 
> acl dmz dst 192.168.3.1
> acl auth dst 192.168.4.1
> acl guest dst 192.168.5.1
> acl tenant dst 192.168.6.1
> 
> acl localnet src 10.0.0.0/8
> acl localnet src 172.16.0.0/12
> acl localnet src 192.168.0.0/16
> acl localnet src fc00::/7
> acl localnet src fe80::/10
> 
> acl ssl_ports port 443
> 
> acl safe_ports port 80
> acl safe_ports port 21
> acl safe_ports port 443
> acl safe_ports port 70
> acl safe_ports port 210
> acl safe_ports port 1025-65535
> acl safe_ports port 280
> acl safe_ports port 488
> acl safe_ports port 591
> acl safe_ports port 777
> acl connect method connect

Ah, method names are case-sensitive.

At the very least that should be:
  acl connect method CONNECT

> 
> http_access deny !auth_net auth
> 
> http_access deny !safe_ports
> http_access deny connect !ssl_ports
> 
> http_access allow localhost manager
> http_access deny manager
> 
> http_access deny to_localhost
> 
> http_access allow localnet
> http_access allow localhost
> 
> http_access deny all
> 
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> 
> access_log none
> cache_log /dev/null

Dont do that. cache.log is where Squid publishes the critical failures
that your *really* need to be aware of.

> cache_store_log /dev/null

If you have a current Squid version, just erase the line. store.log is
not enabled by default since 3.1.

> logfile_rotate 0
> 
> logfile_daemon /dev/null
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list