[squid-users] squid 2.6 as transparent proxy, question acls and safe ports?

From: Dave <dmehler26@dont-contact.us>
Date: Mon, 5 Mar 2007 09:20:58 -0500

Hello,
    I'm running squid on a FreeBSD 6.x box as a transparent proxy. I
recently did a reinstall updating to 2.6 from 2.5 via ports. I've got
transparent proxying working, but i do have a question on acls. This is a
block from my squid.conf file:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

Do i need the above block? It seems like manager is first being allowed then
denied? And i'm not sure the purpose of safeports, ssl_ports, and connect
acls. Are they cached automatically or do i have to put in a firewall rule
for them?
    Thanks and sorry about the confusion. My complete conf is below,
additional suggestions welcome.
Thanks.
Dave.

squid.conf
http_port 127.0.0.1:3128 transparent
 icp_port 0
hierarchy_stoplist cgi-bin ?

# Avoid caching cgi scripts
acl QUERY urlpath_regex passion.com bookshare.org cgi-bin \?
no_cache deny QUERY
 cache_mem 8 MB
 cache_swap_low 90
 cache_swap_high 95
 maximum_object_size 4096 KB
 minimum_object_size 0 KB
 maximum_object_size_in_memory 8 KB
 ipcache_size 1024
 ipcache_low 90
 ipcache_high 95
 fqdncache_size 1024
 cache_replacement_policy lru
 memory_replacement_policy lru
 cache_dir ufs /usr/local/squid/cache 600 32 512
access_log /usr/local/squid/logs/access.log squid
 cache_log /usr/local/squid/logs/cache.log
 cache_store_log none
 emulate_httpd_log off
 log_ip_on_direct on
 mime_table /usr/local/etc/squid/mime.conf
 log_mime_hdrs off
 pid_filename /usr/local/squid/logs/squid.pid
 log_fqdn off
 check_hostnames off
 allow_underscore off
 unlinkd_program /usr/local/libexec/squid/unlinkd
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
acl our_networks src xxx.xxx.xxx.xxx/xx
acl chat dstdomain "/usr/local/etc/squid/chat.txt"
# pornography regex
acl porn url_regex "/usr/local/etc/squid/porn"
acl spyware dstdomain "/usr/local/etc/squid/spyware.acl"
http_access allow our_networks
http_access deny chat porn spyware
# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all
 cache_mgr xxx@xxxx.xxx
 cache_effective_user squid
# httpd_suppress_version_string off
# httpd_accel_no_pmtu_disc off

# TAG: icap_enable on|off
# If you want to enable the ICAP client module, set this to on.
#
#Default:
# icap_enable off

# TAG: err_html_text
# HTML text to include in error messages. Make this a "mailto"
# URL to your admin address, or maybe just a link to your
# organizations Web page.
#
# To include this in your error messages, you must rewrite
# the error template files (found in the "errors" directory).
# Wherever you want the 'err_html_text' line to appear,
# insert a %L tag in the error template file.
#
#Default:
# none

# TAG: deny_info
# Usage: deny_info err_page_name acl
# or deny_info http://... acl
# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
#
# This can be used to return a ERR_ page for requests which
# do not pass the 'http_access' rules. A single ACL will cause
# the http_access check to fail. If a 'deny_info' line exists
# for that ACL Squid returns a corresponding error page.
#
# You may use ERR_ pages that come with Squid or create your own pages
# and put them into the configured errors/ directory.
#
# Alternatively you can specify an error URL. The browsers will
# get redirected (302) to the specified URL. %s in the redirection
# URL will be replaced by the requested URL.
#
# Alternatively you can tell Squid to reset the TCP connection
# by specifying TCP_RESET.
#
#Default:
# none
Received on Mon Mar 05 2007 - 07:19:48 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:01 MDT