Maarten J H van den Berg wrote:
> Hi List,
>
> I configured squid as accelerator, so in order to give anyone access to
> the server that's being accelerated, I'd have to make an ACL
> http_access allow all
> ... cause otherwise no traffic gets through. Right ?
You need to do access controls, but you should not give full rights to
everyone.
> Does this not leave any (obscure or not) backdoors through which squid
> can be used as a (thus OPEN!) proxy, despite being an accelerator ?
In most cases the above will cause an open proxy.
> How would one make a secure ACL list when the two functions are used
> together (accelerator+proxy) ? Not that I need or want to, but...
By making proper access lists, listing who is allowed to access what.
I.e. something like the following:
acl to_myservers dst ip.of.accelerated.servers ...
acl from_mynetworks src local.client.networks...
acl http protocol HTTP
acl port_80 port 80
http_access allow http port_80 to_myservers
http_access allow from_mynetworks
inserted where instructed to in the default squid.conf..
Regards
Henrik
Received on Tue Jun 11 2002 - 10:23:22 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:38 MST