[squid-users] Squid with proxy

Silvio Siefke siefke_listen at web.de
Fri May 22 14:05:24 UTC 2015 

On Fri, 22 May 2015 23:26:13 +1200 Amos Jeffries <squid3 at treenet.co.nz>
wrote:

> Without NextProxy is correct if ziproxy is on the "outside" of Squid.
> Like so:
> 
>  client -> Squid -> ziproxy -> Internet

In my browser i speak only with squid, other make squid i hope. I use
ziproxy for compress the traffic, but when i saw the rate is not really
much.

http://silviosiefke.de/squid/zip.html

> If you set ziproxy to pass *requests* to Squid, the traffic will
> enter a loop:
>   client -> Squid -> ziproxy -> Squid -> ziproxy -> ...

client > squid > ziproxy > squid > client so is my plan
 
> In your squid.conf all traffic requires authenticating. Nothing is
> allowed through without it. Although anything from localhost is
> allowed to send wrong credentials and get through :-( .

localhost should work without authenticating. I think this is problem
why NextProxy in ziproxy.conf not work correct. 
 
> - "deny ads" is not useful like this, anything getting to that check
> will also be blocked by the "deny all" which follows it and is a
> faster check.
> 
> - also missing the basic HTTP abuse and DoS security protections.
> 
> To let localhost I would write them like this:
> 
>  # basic security potections.
>  # To let special ports through; check carefully its not abuse
>  # then adjust Safe_ports and SSL_ports appropriately
>  http_access deny !Safe_ports
>  http_access deny CONNECT !SSL_Ports
> 
>  # To use the deny ads ACL it would go here in the ordering,
>  # before the allow rules.
>  http_access deny ads
> 
>  # localhost does not require authentication
>  http_access allow localhost
> 
>  # manager access only permitted from localhost
>  http_access deny !localhost manager
> 
>  # anyone with a valid auth credentials is allowed
>  http_access allow checkpw
> 
>  http_access deny all
> 
> 
> You will need to re-add the CONNECT, Safe_ports and SSL_Ports ACL
> definitions from the default config.

Okay thank you, im shamed but i really has not understand what mean 
SSL Ports and so now i understand more. 

> You dont really need to exempt localhost from authentication. But that
> is your choice.

Only connection over port 15000 need authentication because is extern and
best were only my login goes. Localhost should work without any limitiation.

Thank you very much & Nice Day
Silvio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150522/34cc5372/attachment.sig>

More information about the squid-users mailing list