On 09/06/11 23:11, kkk kkk wrote:
> Hi everyone,
>
> I'm running Squid 3.1 in Interception mode that is set to intercept
> traffic to a list of 10 websites.
> One security concern I have is that anyone in my ACL can enter my
> proxy IP and port in their browser and use it as a regular proxy.
>
> Is there a way to disable this access? If I can disable this access,
You fail to say which NAT infrastructure is being used to intercept.
The Linux intercept examples have been updated to include rules in the
"mangle" netfilter table which provide this protection.
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
If you are using some other form of NAT, nobody has (yet) provided any
extra details about solving this problem.
> no one can abuse my service because I can control what dstDomains will
> use my proxy.
Your configuration displays that this claim is probably false. see below.
>
> This is my current setup:
>
> acl allowed_IP src IP
> http_access allow allowed_IP
Anyone in the allowed_IP list can do anything they like regardless of
domain.
> http_access deny all
>
>
> Only Domains want to allow access:
> acl allowed_domains dstdomain
>
>
> If it's not theoretical possible, how can I write an ACL combo that
> only allow "allowed_ip" to access "allowed_domains" instead of
> accessing everything once it's allowed?
Access controls in Squid are complete boolean logic language. Anything
that can be described in if-else form can be configured.
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.8 and 3.1.12.2Received on Fri Jun 10 2011 - 06:40:01 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 10 2011 - 12:00:01 MDT