[squid-users] Squid configuration sanity check

Alex K rightkicktech at gmail.com
Tue May 8 10:35:14 UTC 2018


Hi Amos,

On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 08/05/18 04:56, Alex K wrote:
> > Hi Amos,
> >
> > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote:
> >
> >     On 08/05/18 00:24, Alex K wrote:
> >     > Hi all,
> >     >
> ...
> >     > acl localhost src 192.168.200.1/32 <http://192.168.200.1/32>
> >
> >     192.168.200.1 is assigned to your lo interface?
> >
> > Yes, this is the IP of one of the interfaces of the device at the
> > network where the users use squid to reach Internet.
> >
>
> No, I mean specifically the interface named "lo" which has ::1 and
> 127.0.0.0/8 assigned by the system. It has some special security
> properties like hardware restriction preventing globally routable IPs
> being used as dst-IP of packets even routed through it result in
> rejections.
>
I have not assigned 192.168.200.1 at lo. It is assigned to an interface
(eth3 for example). localhost is here misleading. it could say "proxy"


>
>
> >
> >     >
> >     > acl SSL_ports port 443
> >     > acl Safe_ports port 80
> >     > acl Safe_ports port 21
> >     > acl Safe_ports port 443
> >     > acl Safe_ports port 10080
> >     > acl Safe_ports port 10443
> >     > acl SSL method CONNECT
> >
> >     The above can be quite deceptive,
> >
> > I removed port 21 as I don't think I am using FTP.
> >
>
> Sorry, I missed out the last half of that text. I was meaning the "SSL"
> ACL definition specifically. CONNECT method is not restricted to SSL
> protocol even when all you are doing is intercepting port 443 (think
> HTTP/2, WebSockets, QUIC, etc). It would be better to use the provided
> CONNECT ACL in place of "SSL" - they are identical in definition and
> CONNECT is clearer to see if/when some access control is not as tightly
> restricted as "SSL" would make it seem.

You mean remove  "acl CONNECT method CONNECT" and leave only "acl CONNECT
method CONNECT" ?

>
>
> Cheers
> Amos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180508/d1e85e48/attachment.html>


More information about the squid-users mailing list