[squid-users] Squid configuration sanity check

Alex K rightkicktech at gmail.com
Wed May 16 06:17:45 UTC 2018 

Hi again,

With this config I get:

ERROR: No forward-proxy ports configured.

I am wondering if I could just add a dummy entry:

http_port 3130

to suppress this error.

But not sure how this is useful when reading:

https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts

Alex

On Tue, May 8, 2018 at 7:49 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 08/05/18 22:36, Alex K wrote:
> > Correction:
> >
> > On Tue, May 8, 2018 at 1:35 PM, Alex K wrote:
> >
> >     Hi Amos,
> >
> >     On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries wrote:
> >
> >         On 08/05/18 04:56, Alex K wrote:
> >         > Hi Amos,
> >         >
> >         > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote:
> >         >
> >         >     On 08/05/18 00:24, Alex K wrote:
> >         >     > Hi all,
> >         >     >
> >         ...
> >         >     > acl localhost src 192.168.200.1/32
> >         >
> >         >     192.168.200.1 is assigned to your lo interface?
> >         >
> >         > Yes, this is the IP of one of the interfaces of the device at
> the
> >         > network where the users use squid to reach Internet.
> >         >
> >
> >         No, I mean specifically the interface named "lo" which has ::1
> and
> >         127.0.0.0/8 assigned by the system. It has
> >         some special security
> >         properties like hardware restriction preventing globally
> >         routable IPs
> >         being used as dst-IP of packets even routed through it result in
> >         rejections.
> >
> >     I have not assigned 192.168.200.1 at lo. It is assigned to an
> >     interface (eth3 for example). localhost is here misleading. it could
> >     say "proxy"
>
> Yes, it should be different. "localhost" ACL is used for some defaults.
> What you are doing here is adding 192.168.200.1 to the ::! etc
> definition of the predefined localhost ACL.
>
>
> >
> >         >
> >         >     >
> >         >     > acl SSL_ports port 443
> >         >     > acl Safe_ports port 80
> >         >     > acl Safe_ports port 21
> >         >     > acl Safe_ports port 443
> >         >     > acl Safe_ports port 10080
> >         >     > acl Safe_ports port 10443
> >         >     > acl SSL method CONNECT
> >         >
> >         >     The above can be quite deceptive,
> >         >
> >         > I removed port 21 as I don't think I am using FTP.
> >         >
> >
> >         Sorry, I missed out the last half of that text. I was meaning
> >         the "SSL"
> >         ACL definition specifically. CONNECT method is not restricted to
> SSL
> >         protocol even when all you are doing is intercepting port 443
> (think
> >         HTTP/2, WebSockets, QUIC, etc). It would be better to use the
> >         provided
> >         CONNECT ACL in place of "SSL" - they are identical in definition
> and
> >         CONNECT is clearer to see if/when some access control is not as
> >         tightly
> >         restricted as "SSL" would make it seem.
> >
> >     You mean remove  "acl SSL method CONNECT" and leave only "acl
> >     CONNECT method CONNECT" ?
> >
>
> Yes. Exactly so.
>
> Amos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180516/b3a5c937/attachment-0001.html>

More information about the squid-users mailing list