[squid-users] ACL why does this not work?

Yan Seiner yan at seiner.com
Fri May 1 13:33:12 UTC 2015


On 05/01/2015 01:25 AM, Amos Jeffries wrote:
> On 1/05/2015 11:56 a.m., Yan Seiner wrote:
>> I am trying to prevent squid from proxying to an authorized subnet.
>>
>> I want to write a set of acl rules that say that if a request does not
>> come from the authorized subnet then it should not be allowed to connect
>> to the authorized web server.
>>
>> acl auth_net src 192.168.4.0/24
>> acl auth dst 192.168.4.1
>> http_access deny !auth_net auth
>>
>> AFAICT something like the above should work but it doesn't.  squid
>> proxies requests from anywhere on the network to the authorized
>> webserver, getting right around the firewall.
>>
>> Any suggestions on how to make this work?
> You either got the order wrong
> (<http://wiki.squid-cache.org/SquidFaq/OrderIsImportant>) or the DNS
> results are not what you think they are.
>
> We cant really say without knowing what your whole config is.
>
> Amos

Hi Amos:

Here's my config; it's pretty basic.

I have 4 subnets: dmz, auth, guest, and tenant.  Only the auth subnet 
should be allowed access to the webserver on 192.168.4.1. The web server 
does not listen on any of the other subnets.

cache_mem 3072 MB

acl dmz_net src 192.168.3.0/24
acl auth_net src 192.168.4.0/24
acl guest_net src 192.168.5.0/24
acl tenant_net src 192.168.6.0/24

acl dmz dst 192.168.3.1
acl auth dst 192.168.4.1
acl guest dst 192.168.5.1
acl tenant dst 192.168.6.1

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl ssl_ports port 443

acl safe_ports port 80
acl safe_ports port 21
acl safe_ports port 443
acl safe_ports port 70
acl safe_ports port 210
acl safe_ports port 1025-65535
acl safe_ports port 280
acl safe_ports port 488
acl safe_ports port 591
acl safe_ports port 777
acl connect method connect

http_access deny !auth_net auth

http_access deny !safe_ports
http_access deny connect !ssl_ports

http_access allow localhost manager
http_access deny manager

http_access deny to_localhost

http_access allow localnet
http_access allow localhost

http_access deny all

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

access_log none
cache_log /dev/null
cache_store_log /dev/null
logfile_rotate 0

logfile_daemon /dev/null



More information about the squid-users mailing list