Re: [squid-users] Squid and https ports

From: Simon Wright <diver06@dont-contact.us>
Date: Wed, 21 Aug 2002 22:17:03 +0200 (CDT)

On Wed, 21 Aug 2002 15:17:41 -0400, Jerry Murdock wrote:

>From: "Simon Wright" <diver06@attglobal.net>
>Sent: Wednesday, August 21, 2002 2:37 PM

>> Please forgive what may be a very basic question, but I run
>> small Squid (2.4S5 on NT4). This works fine, however one user
>> wants to connect to an https server that is using port 8443
>> instead of 443 or 563 for his web site admin.

>Assuming your acls are otherwise sane, the only real danger is it's one more
>potential port for users to tunnel out on.

Understood. This is what I was thinking about adding:

# acls for thomb for web admin
acl thomb_SSL 80.133.50.84/255.255.255.255
acl thomb_SSLport port 8443

and

# allows access for user thomb to his web admin
http_access allow thomb_SSL thomb_SSLport
http_access deny CONNECT !SSL_Ports

That will just open up the one IP address/port combination.

>I generally have a single acl controlling what sites have access to
>non-standard ssl ports.ie:

Hmmm, I have a very small LAN with very few special
requirements, so acl's are more-or-less out-of-the-box. I was
thinking to have specific rules for specific users (the same
user tends to come up asking for "something else"!) which can
then be deleted when the user moves on or whatever. I'll think
again about how to implement this but thanks a bunch for your
input and for putting my mind to rest over leaving gaping holes
in Squid :-)

Simon.
Received on Wed Aug 21 2002 - 14:18:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:46 MST