Re: [squid-users] ACLs when using accelerator mode ?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 11 Jun 2002 18:23:18 +0200

Maarten J H van den Berg wrote:
> Hi List,
>
> I configured squid as accelerator, so in order to give anyone access to
> the server that's being accelerated, I'd have to make an ACL
> http_access allow all
> ... cause otherwise no traffic gets through. Right ?

You need to do access controls, but you should not give full rights to
everyone.

> Does this not leave any (obscure or not) backdoors through which squid
> can be used as a (thus OPEN!) proxy, despite being an accelerator ?

In most cases the above will cause an open proxy.

> How would one make a secure ACL list when the two functions are used
> together (accelerator+proxy) ? Not that I need or want to, but...

By making proper access lists, listing who is allowed to access what.

I.e. something like the following:

acl to_myservers dst ip.of.accelerated.servers ...
acl from_mynetworks src local.client.networks...

acl http protocol HTTP
acl port_80 port 80

http_access allow http port_80 to_myservers
http_access allow from_mynetworks

inserted where instructed to in the default squid.conf..

Regards
Henrik
Received on Tue Jun 11 2002 - 10:23:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:38 MST