On Mon, 7 Feb 2005 johnsuth@acenet.com.au wrote:
> In Squid 2.5.s8_OS2_VAC my squid.conf included this example from FAQ 10.11
> acl xxx dst 0.0.0.0/0.0.0.0
> http_access deny xxx
>
> However, web pages not previously allowed in the sequence of rules, were nevertheless
> allowed to be served from cache, contrary to my wishes.
>
> I understand that if I accept free software, then I am a beta tester.
You are defenitely not a beta tester by accepting to use free software.
If you accept to use snapshot or development versions then you are a beta
tester.
> I suppose the Squid community takes no responsibility for the integrity
> of any specific build of Squid.
The Squid developers take no responsibility for the suitability of Squid
for any purpose, but neither does any of the commercial software providers
;-)
Seriously, we to take Squid very seriously.
> # TAG: http_access
> #Recommended minimum configuration:
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny to_localhost
> http_access allow government
> http_access allow education
> http_access allow google
> http_access allow acenet
> http_access allow localnet
> http_access deny ip
> http_access deny http
> http_access allow www
I would recommend you to read the "Squid FAQ 10.1 Access Controls -
Introduction" for an description of how the http_access directive works.
The above http_access rule list is most certainly not what you intended as
it allows:
- the whole world is given access to government, education, google and
acenet via your proxy
- localnet access to anything
- everything else not listed above is denied access by the ip rule (ie.
the whole world except your localnet is denied to go to any sites not
listed above)
- and the two last rules (http, www) can never be reached as the "deny
ip" rule has already catched everything.
Regards
Henrik
Received on Mon Feb 07 2005 - 13:56:18 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST