acl http protocol http
should be:
acl http proto http
Thanks again!!!
Eric
Henrik Nordstrom wrote:
On Tue, 24 Feb 2004, Eric Kahklen wrote:
Now that I have my squid accelerator working, I need to tighten down my ACL's. I am allowing SSL traffic in for the reverse proxying of OWA. I am not offering any other proxying services. Any comments or suggestions on improving/securing this would be appreciated. Here are the ACL's I have that were combined with the default conf file:
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
A bit overkill for the above situation.
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
Ok.
# Deny requests to unknown ports
http_access deny !Safe_ports
Ok if this was a Internet proxy.
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
As above.
#MY ADDITIONS PER Squid The Definitive Guide - 2/23/04
acl Exchangebox dst 10.0.0.5
http_access allow Exchangebox
http_access deny all
Ok.
# And finally deny all other access to this proxy
http_access allow localhost
What is this? Clearly not what the comment claims. But you have already denied everything above so it can never get here.
# and finally allow by default
http_reply_access allow all
Ok. Does not need to be specified.
#Allow ICP queries from everyone
icp_access allow all
You don't want ICP in a reverse proxy. In fact I would recommend you to distable icp entirely (see icp_port).
I would propose something like the following configuration for your reverse proxy:
# Base ACLs acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl http protocol http acl port80 port 80 acl https protocol https acl port443 port 443
# Only allow cachemgr access from localhost acl manager proto cache_object http_access allow manager localhost http_access deny manager
# Allow access to our servers acl Exchangebox dst 10.0.0.5 http_access allow https port443 Exchangebox
[or if you are using Squid-3 with cache_peer based forwarding]
acl Exchangebox dstdomain the.official.fqdn.requested.by.clients http_access allos https port443 Exchangebox
# And finally deny all other access to this proxy http_access deny all
# Disable ICP icp_port 0
Regards Henrik
