[squid-users] client-->iptables-->squid-proxy->another-proxy
Amos Jeffries
squid3 at treenet.co.nz
Sun Aug 20 08:31:38 UTC 2017
On 20/08/17 14:38, Diogenes S. Jesus wrote:>
> * squid.conf:
> -----------------------
> acl localhost src 127.0.0.0/8 <http://127.0.0.0/8>
> acl localnet src 192.168.100.0/24 <http://192.168.100.0/24>
> 192.168.101.0/24 <http://192.168.101.0/24> 172.16.0.0/12
> <http://172.16.0.0/12>
> acl SSL_ports port 443
> acl Safe_ports port 80# http
> acl Safe_ports port 443# https
> acl CONNECT method CONNECT
>
> http_access allow localhost localnet
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
>
Those http_access rules contain an impossible condition.
The src-IP cannot simultaneously be having a value in the 127/8 network
range *and* in one of the RFC1918 ranges. So there is no way anything is
ever allowed to use this proxy.
I suspect it was working due to a recently fixed bug where the CONNECT
message was not consistently passed through http_access controls
sometimes in the first SSL-Bump step. Do not expect that to work much
longer.
Amos
More information about the squid-users
mailing list