Re: [squid-users] ACL defaults

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 6 Feb 2005 11:53:04 +0100 (CET)

On Sun, 6 Feb 2005 johnsuth@acenet.com.au wrote:

> I can't speak for other people, but I am using Squid in conjunction with a deny by default
> firewall to limit access to the www. I see no rules in the standard http_access tag which
> limit access to destinations.
>
> The last rule, "deny all" looks like it limits access to destinations, but a clever lawyer or
> computer programmer can deduce that "all" refers to clients, not destinations.

all is defined in your squid.conf. In each and every element in your
http_access list is defined in your squid.conf.

The definition of "all" as shipped in the suggested default configuration
we are talking about is to match all clients in the whole world.

acl all src 0.0.0.0/0

> Getting back to the English (the docs may be different in other languages), you have not
> suggested why the word "deny" is used in your item 4 when the action is to allow all
> clients not previously denied.

Here is an exact copy of what the suggested http_access ruleset shipped
with Squid looks like, since you seem to have troubled to look it up in
squid.conf.default:

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

# And finally deny all other access to this proxy
http_access deny all

The definitions of each acl used is found in the section above and looks
like:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

Assuming you follow the recommendations things will work exactly the way
you ask.

If you decide on remaking the ruleset completely from scratch you must
understand the implied inverse default etc, not to mention a good
understanding of the top-down logics of http_access.

Regards
Henrik
Received on Sun Feb 06 2005 - 03:53:09 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST