Re: [squid-users] Hole in my thinking

From: Chris Robertson <crobertson@dont-contact.us>
Date: Thu, 07 Jun 2007 16:01:02 -0800

Bobby wrote:
> Hi List,
>
> I've been battling with this configuration and at this point I don't think I'm
> seing straight. The idea is to have a few groups with some specific access
> tables for each of them. But somehow, besides for manager, it either lets
> them all through or none, rather than following the valid -http access lists.
>
> Please help me see the errors of my way!
>
>
> This is running on openbsd where pf is redirecting traffic from 80 to 3128 on
> the loopback device.
>
> --------------------------------------------------
> http_port 3128
>
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 5203
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
>
> acl our_networks src 172.16.10.0/24
> #http_access allow our_networks
>
> http_access allow Safe_ports
>

Here is the first line that matches. Everyone is allowed through (as
long as they are trying to access a Safe_port). Is this just here while
you test?

> # Each src file has a list of internal IP's, and each dst file
> #has a list of domains they can visit.
> acl operators-src src "/etc/squid/T_operators"
> acl operators-dst dst "/etc/squid/T_operators-http"
>

Hard to diagnose a problem without knowing what the contents of these
files are...

> acl managers-src src "/etc/squid/T_managers"
> acl managers-dst dst "/etc/squid/T_managers-http"
> acl servers-src src "/etc/squid/T_servers"
> acl servers-dst dst "/etc/squid/T_servers-http"
> acl finance-src src "/etc/squid/T_finance"
> acl finance-dst dst "/etc/squid/T_finance-http"
> acl admins-src src "/etc/squid/T_admins"
> acl admins-dst dst all
>

Perhaps the "all" keyword works as you expect it to, but it seems to me
that it would be better to define it as an explicit destination IP
(0.0.0.0/0).

> acl clients src 0.0.0.0/0.0.0.0
> acl client-http dst 172.16.10.3
>
> http_access allow managers-src managers-dst
> http_access allow operators-src operators-dst
> http_access allow admins-src admins-dst
> http_access allow servers-src servers-dst
> http_access allow finance-src finance-dst
> http_access allow clients client-http
>
> http_access deny all
> http_reply_access deny all
>

Whoa. You probably don't want to do this. http_reply_access controls
what responses to your client's queries are allowed. Here you are
rejecting all responses...

> icp_access allow all
>
> visible_hostname gw0.example.com
>
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> coredump_dir /var/squid/cache
>

Chris
Received on Thu Jun 07 2007 - 18:01:13 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT