On 14/12/2012 11:53 a.m., Paras pradhan wrote:
Hi,
I have 0-65536 in safe ports and it is allowed.
acl Safe_ports port 0-65535
http_access deny !Safe_ports
This is not an ALLOWED. This is a not-DENIED otherwise known as "check
next rule".
NP: there are a number of ports between 0-1024 range which are seriously
risky to permit HTTP connections to. The SMTP and FTP ports for example.
But I am seeing this in access.log.
--
1355433138.267 0 192.168.0.2 TCP_DENIED/403 3413 CONNECT
192.168.0.2:35357 - NONE/- text/html
--
How do we allow 35357?
This is a CONNECT request. So "acl SSL_Ports port 35357" should do it.
But consider carefully why the client needs a binary tunnel opened to
that destination, and whether letting it is a good idea.
Amos
