> > > http_access allow !Safe_ports > > # http_access allow CONNECT !SSL_ports > > Make these two lines: > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > > This will keep your Squid box from being exploited to do all sorts of nasty > things (including spamming). > > > acl Safe_ports port 800 # Squids port (for icons) >
I forgot all the changes I had made because of this problem. I have changed things back to the original config, icluding your recommendations. Here is my present config and a tail of /var/log/squid/access.log. I still get denied?? 1063427751.743 1420 172.21.0.1 TCP_MISS/200 3877 CONNECT map.nwea.org:443 admin DIRECT/66.45.48.119 - 1063427751.767 1032 172.21.0.1 TCP_MISS/200 1016 CONNECT map.nwea.org:443 admin DIRECT/66.45.48.119 - 1063427751.779 423 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443 admin DIRECT/66.45.48.119 - 1063427751.835 473 172.21.0.1 TCP_MISS/200 4648 CONNECT map.nwea.org:443 admin DIRECT/66.45.48.119 - 1063427753.229 1 172.21.0.1 TCP_DENIED/407 1457 GET 1063427756.930 5189 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443 admin DIRECT/66.45.48.119 - 1063427759.800 8033 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443 admin DIRECT/66.45.48.119 - 1063427760.640 8847 172.21.0.1 TCP_MISS/200 370 CONNECT map.nwea.org:443 admin DIRECT/66.45.48.119 - 1063427771.335 1 172.21.0.1 TCP_DENIED/407 1463 GET 1063427771.389 1 172.21.0.1 TCP_DENIED/407 1442 1063427777.160 25362 172.21.0.1 TCP_MISS/200 369 CONNECT map.nwea.org:443 admin DIRECT/66.45.48.119 - 1063427779.746 1 172.21.0.1 TCP_DENIED/407 1300 CONNECT map.nwea.org:443 - NONE/- - <squid.conf> shutdown_lifetime 5 seconds icp_port 0 http_port 172.21.0.1:800 acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_effective_user squid cache_effective_group squid pid_filename /var/run/squid.pid cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log log_mime_hdrs off forwarded_for off authenticate_program /usr/lib/squid/ncsa_auth /home/.htpasswd acl password proxy_auth REQUIRED acl local-servers dstdomain bbe.k12.mn.us map.nwea.org nwea.org acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 172.21.0.0/255.255.0.0 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http # acl Safe_ports port 800 # Squids port (for icons) acl Safe_ports port 1433 # skyward acl Safe_ports port 16125 # skyward acl Safe_ports port 26125 # skyward acl Safe_ports port 16126 # ns1 acl Safe_ports port 36125 # extra acl Safe_ports port 46125 # fintrain acl Safe_ports port 56125 # stutrain acl Safe_ports port 81 # ipcop acl CONNECT method CONNECT # http_access allow localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # http_access allow localnet http_access allow password always_direct allow local-servers http_access deny all maximum_object_size 4096 KB minimum_object_size 0 KB cache_mem 2000 KB cache_dir ufs /var/log/cache 50 16 256 request_body_max_size 0 KB reply_body_max_size 0 KB
