<div dir="ltr"><div><div><div><div><div>Hi again, <br><br></div>With this config I get: <br><br><span style="font-family:monospace,monospace">ERROR: No forward-proxy ports configured. </span><br><br></div>I am wondering if I could just add a dummy entry: <br><br>http_port 3130<br><br></div>to suppress this error. <br><br></div>But not sure how this is useful when reading:<br><br><a href="https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts">https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts</a><br><br></div>Alex<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 8, 2018 at 7:49 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 08/05/18 22:36, Alex K wrote:<br>
> Correction:<br>
> <br>
</span><span class="">> On Tue, May 8, 2018 at 1:35 PM, Alex K wrote:<br>
> <br>
> Hi Amos,<br>
> <br>
</span><span class="">> On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries wrote:<br>
> <br>
> On 08/05/18 04:56, Alex K wrote:<br>
> > Hi Amos,<br>
> > <br>
> > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote:<br>
> > <br>
> > On 08/05/18 00:24, Alex K wrote:<br>
> > > Hi all,<br>
> > > <br>
> ...<br>
> > > acl localhost src <a href="http://192.168.200.1/32" rel="noreferrer" target="_blank">192.168.200.1/32</a><br>
> > <br>
</span><span class="">> > 192.168.200.1 is assigned to your lo interface?<br>
> > <br>
> > Yes, this is the IP of one of the interfaces of the device at the<br>
> > network where the users use squid to reach Internet. <br>
> > <br>
> <br>
> No, I mean specifically the interface named "lo" which has ::1 and<br>
> <a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> assigned by the system. It has<br>
> some special security<br>
> properties like hardware restriction preventing globally<br>
> routable IPs<br>
> being used as dst-IP of packets even routed through it result in<br>
> rejections.<br>
> <br>
> I have not assigned 192.168.200.1 at lo. It is assigned to an<br>
> interface (eth3 for example). localhost is here misleading. it could<br>
> say "proxy"<br>
<br>
</span>Yes, it should be different. "localhost" ACL is used for some defaults.<br>
What you are doing here is adding 192.168.200.1 to the ::! etc<br>
definition of the predefined localhost ACL.<br>
<span class=""><br>
<br>
> <br>
> > <br>
> > > <br>
> > > acl SSL_ports port 443<br>
> > > acl Safe_ports port 80<br>
> > > acl Safe_ports port 21<br>
> > > acl Safe_ports port 443<br>
> > > acl Safe_ports port 10080<br>
> > > acl Safe_ports port 10443<br>
> > > acl SSL method CONNECT<br>
> > <br>
> > The above can be quite deceptive,<br>
> > <br>
> > I removed port 21 as I don't think I am using FTP.<br>
> > <br>
> <br>
> Sorry, I missed out the last half of that text. I was meaning<br>
> the "SSL"<br>
> ACL definition specifically. CONNECT method is not restricted to SSL<br>
> protocol even when all you are doing is intercepting port 443 (think<br>
> HTTP/2, WebSockets, QUIC, etc). It would be better to use the<br>
> provided<br>
> CONNECT ACL in place of "SSL" - they are identical in definition and<br>
> CONNECT is clearer to see if/when some access control is not as<br>
> tightly<br>
> restricted as "SSL" would make it seem. <br>
> <br>
> You mean remove "acl SSL method CONNECT" and leave only "acl<br>
> CONNECT method CONNECT" ?<br>
> <br>
<br>
</span>Yes. Exactly so.<br>
<span class="HOEnZb"><font color="#888888"><br>
Amos<br>
</font></span></blockquote></div><br></div>