On 15.10.2014 08:13, Amos Jeffries wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1And the key difference in these configs is not the ACL contents, but the ordering in which they are matched. Mirzas' config starts by telling Squid everything on the LAN/localnet is allowed. Ok, fine, Squid will do that. Walters' config will tell Squid a limited set of things to allow, then some things to deny, then implicitly allow everything else [1][2]. Whichever rule actually matches the FB requests will be applied by Squid, with a limited set of initial allow/bypass the likelihood that a deny following will match is higher. [1] this is not a great situation, because any remote attack which can figure out a way past your regex ACLs can use the proxy for whatever they please[2]. [2] I hope you just omitted the localnet ACL checks which should follow the ones you showed. Amos
Yes I omitted this: acl localnet src 192.168.0.0/16 on top of squid.conf and http_access allow localnet http_access allow localhost below the listed ACL rules; Walter
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users