[squid-users] ACLs allow/deny logic

Amos Jeffries squid3 at treenet.co.nz
Mon Jun 26 09:53:46 UTC 2017 

On 26/06/17 20:46, Vieri wrote:
> Hi,
> 
> I'd like to allow by default and deny only according to the ACLs I define.
> 
> Here's an example with Telegram. I'd like to deny all application/octet-stream mime types in requests and replies except for a set of IP addresses or domains.

Er, deny is the opposite of allow. So your "example" is to demonstrate 
the _opposite_ of what you want?


Not to mention that what you want is the opposite of a well-known 
Security Best-Practice. Well, your call, but when things go terribly 
wrong don't say you weren't warned.


Anyhow ...

> 
> acl denied_restricted1_mimetypes_req req_mime_type -i "/usr/local/proxy-settings/denied.restricted1.mimetypes"
> acl denied_restricted1_mimetypes_rep rep_mime_type -i "/usr/local/proxy-settings/denied.restricted1.mimetypes"
> acl allowed_restricted1_domains dstdomain -i "/usr/local/proxy-settings/allowed.restricted1.domains"
> acl allowed_restricted1_ips dst "/usr/local/proxy-settings/allowed.restricted1.ips"
> http_access deny denied_restricted1_mimetypes_req !allowed_restricted1_domains !allowed_restricted1_ips
> http_reply_access deny denied_restricted1_mimetypes_rep !allowed_restricted1_domains !allowed_restricted1_ips
> 

A line of ACLS is an "AND" condition:

  http_access deny (if) X (and) Y (and) Z

This configuration will deny the mime types except when they come from 
certain IPs *AND* are going to certain domains.


To enact your stated policy you need to do it this way:

  http_access allow allowed_restricted1_domains \
     denied_restricted1_mimetypes_req

  http_access allow allowed_restricted1_ips \
     denied_restricted1_mimetypes_req

  http_access deny denied_restricted1_mimetypes_req


.. same sort of thing for the reply lines.


> # cat /usr/local/proxy-settings/allowed.restricted1.domains
> .telegram.org
> 
> # cat /usr/local/proxy-settings/allowed.restricted1.ips
> 149.154.167.91
> 149.154.165.120
> 
> # cat /usr/local/proxy-settings/denied.restricted1.mimetypes
> ^application/octet-stream$
> 
> I see this in access.log:
> 
> 1498463484.530    413 10.215.144.237 TCP_DENIED_REPLY/403 4085 POST http://149.154.165.120/api - ORIGINAL_DST/149.154.165.120 text/html
> 
> I searched for the relevant parts in cache.log:
> 
<snip>

> I see 2 apparently contradictory log messages (well, for me that is -- I'm still learning how to read the log):
> The reply for POST http://149.154.165.120/api is DENIED, because it matched allowed_restricted1_ips
> The reply for POST http://149.154.165.120/api is ALLOWED, because it matched allowed_restricted1_ips
> 
> Why is this happening?

The servers reply (application/octet-stream) is being denied, and the 
Squid generated error page (text/html) is being allowed.

When a default / implicit action is being done the "matched X" shows the 
name of the last ACL processed - that ACL non-matching was the reason 
for the default/implicit action happening.

Amos

More information about the squid-users mailing list