Re: [squid-users] [squid-users) FAQ 10.11 Banning all other destinations

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 7 Feb 2005 21:56:15 +0100 (CET)

On Mon, 7 Feb 2005 johnsuth@acenet.com.au wrote:

> In Squid 2.5.s8_OS2_VAC my squid.conf included this example from FAQ 10.11
> acl xxx dst 0.0.0.0/0.0.0.0
> http_access deny xxx
>
> However, web pages not previously allowed in the sequence of rules, were nevertheless
> allowed to be served from cache, contrary to my wishes.
>
> I understand that if I accept free software, then I am a beta tester.

You are defenitely not a beta tester by accepting to use free software.

If you accept to use snapshot or development versions then you are a beta
tester.

> I suppose the Squid community takes no responsibility for the integrity
> of any specific build of Squid.

The Squid developers take no responsibility for the suitability of Squid
for any purpose, but neither does any of the commercial software providers
;-)

Seriously, we to take Squid very seriously.

> # TAG: http_access
> #Recommended minimum configuration:
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny to_localhost
> http_access allow government
> http_access allow education
> http_access allow google
> http_access allow acenet
> http_access allow localnet
> http_access deny ip
> http_access deny http
> http_access allow www

I would recommend you to read the "Squid FAQ 10.1 Access Controls -
Introduction" for an description of how the http_access directive works.

The above http_access rule list is most certainly not what you intended as
it allows:

  - the whole world is given access to government, education, google and
acenet via your proxy

  - localnet access to anything

  - everything else not listed above is denied access by the ip rule (ie.
the whole world except your localnet is denied to go to any sites not
listed above)

  - and the two last rules (http, www) can never be reached as the "deny
ip" rule has already catched everything.

Regards
Henrik
Received on Mon Feb 07 2005 - 13:56:18 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST