[squid-users] Authenication denies access to ports

Amos Jeffries squid3 at treenet.co.nz
Wed Feb 25 00:21:08 UTC 2015


On 2015-02-24 19:25, zanettiza wrote:
> Hi Everyone,I've searched and search but have not found an answer to my
> question.I'm running CentOS 7 and Squid 3.3.4. When I insert 
> "http_access
> allow Safe_ports" AFTER "http_access allow authenticated_users" I have 
> no
> access to ports listed under my Safe_ports ACL, however when I put it 
> before
> then everything works just fine, obviously that is then ignoring
> authentication.Any thoughts on how I can overcome this? I have tried 
> many
> different configurations but nothing really works.Thanks!
> 

http://wiki.squid-cache.org/SquidFaq/OrderIsImportant
http://wiki.squid-cache.org/SquidFaq/SquidAcl

There is a very big difference between your two policies:

A)
  # allow unlimited access to all "safe" ports
  http_access allow Safe_ports

  # then authenticate access to unsafe ports
  http_access allow authenticated

B)
  # allow access to anywhere authenticated
  http_access allow authenticated

  # then allow access to safe ports if authentication fails
  http_access allow Safe_ports


versus the squid default security settings:

C)
  # prevent access to unsafe ports
  http_access deny !Safe_ports

  # prevent use of CONNECT tunnels by non-HTTPS
  http_access deny CONNECT !SSL_ports

  # then allow access (to safe ports and HTTPS) if authenticated
  http_access allow authenticated


Amos


More information about the squid-users mailing list