Correction: On Tue, May 8, 2018 at 1:35 PM, Alex K <rightkickt...@gmail.com> wrote:
> Hi Amos, > > On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries <squ...@treenet.co.nz> > wrote: > >> On 08/05/18 04:56, Alex K wrote: >> > Hi Amos, >> > >> > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote: >> > >> > On 08/05/18 00:24, Alex K wrote: >> > > Hi all, >> > > >> ... >> > > acl localhost src 192.168.200.1/32 <http://192.168.200.1/32> >> > >> > 192.168.200.1 is assigned to your lo interface? >> > >> > Yes, this is the IP of one of the interfaces of the device at the >> > network where the users use squid to reach Internet. >> > >> >> No, I mean specifically the interface named "lo" which has ::1 and >> 127.0.0.0/8 assigned by the system. It has some special security >> properties like hardware restriction preventing globally routable IPs >> being used as dst-IP of packets even routed through it result in >> rejections. >> > I have not assigned 192.168.200.1 at lo. It is assigned to an interface > (eth3 for example). localhost is here misleading. it could say "proxy" > > >> >> >> > >> > > >> > > acl SSL_ports port 443 >> > > acl Safe_ports port 80 >> > > acl Safe_ports port 21 >> > > acl Safe_ports port 443 >> > > acl Safe_ports port 10080 >> > > acl Safe_ports port 10443 >> > > acl SSL method CONNECT >> > >> > The above can be quite deceptive, >> > >> > I removed port 21 as I don't think I am using FTP. >> > >> >> Sorry, I missed out the last half of that text. I was meaning the "SSL" >> ACL definition specifically. CONNECT method is not restricted to SSL >> protocol even when all you are doing is intercepting port 443 (think >> HTTP/2, WebSockets, QUIC, etc). It would be better to use the provided >> CONNECT ACL in place of "SSL" - they are identical in definition and >> CONNECT is clearer to see if/when some access control is not as tightly >> restricted as "SSL" would make it seem. > > You mean remove "acl SSL method CONNECT" and leave only "acl CONNECT > method CONNECT" ? > >> >> >> Cheers >> Amos >> > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
