[squid-users] Squid configuration sanity check

Alex K rightkicktech at gmail.com
Tue May 8 10:36:06 UTC 2018 

Correction:

On Tue, May 8, 2018 at 1:35 PM, Alex K <rightkicktech at gmail.com> wrote:

> Hi Amos,
>
> On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 08/05/18 04:56, Alex K wrote:
>> > Hi Amos,
>> >
>> > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote:
>> >
>> >     On 08/05/18 00:24, Alex K wrote:
>> >     > Hi all,
>> >     >
>> ...
>> >     > acl localhost src 192.168.200.1/32 <http://192.168.200.1/32>
>> >
>> >     192.168.200.1 is assigned to your lo interface?
>> >
>> > Yes, this is the IP of one of the interfaces of the device at the
>> > network where the users use squid to reach Internet.
>> >
>>
>> No, I mean specifically the interface named "lo" which has ::1 and
>> 127.0.0.0/8 assigned by the system. It has some special security
>> properties like hardware restriction preventing globally routable IPs
>> being used as dst-IP of packets even routed through it result in
>> rejections.
>>
> I have not assigned 192.168.200.1 at lo. It is assigned to an interface
> (eth3 for example). localhost is here misleading. it could say "proxy"
>
>
>>
>>
>> >
>> >     >
>> >     > acl SSL_ports port 443
>> >     > acl Safe_ports port 80
>> >     > acl Safe_ports port 21
>> >     > acl Safe_ports port 443
>> >     > acl Safe_ports port 10080
>> >     > acl Safe_ports port 10443
>> >     > acl SSL method CONNECT
>> >
>> >     The above can be quite deceptive,
>> >
>> > I removed port 21 as I don't think I am using FTP.
>> >
>>
>> Sorry, I missed out the last half of that text. I was meaning the "SSL"
>> ACL definition specifically. CONNECT method is not restricted to SSL
>> protocol even when all you are doing is intercepting port 443 (think
>> HTTP/2, WebSockets, QUIC, etc). It would be better to use the provided
>> CONNECT ACL in place of "SSL" - they are identical in definition and
>> CONNECT is clearer to see if/when some access control is not as tightly
>> restricted as "SSL" would make it seem.
>
> You mean remove  "acl SSL method CONNECT" and leave only "acl CONNECT
> method CONNECT" ?
>
>>
>>
>> Cheers
>> Amos
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180508/3c97ef52/attachment-0001.html>

More information about the squid-users mailing list