Hi again, With this config I get:
ERROR: No forward-proxy ports configured. I am wondering if I could just add a dummy entry: http_port 3130 to suppress this error. But not sure how this is useful when reading: https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts Alex On Tue, May 8, 2018 at 7:49 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 08/05/18 22:36, Alex K wrote: > > Correction: > > > > On Tue, May 8, 2018 at 1:35 PM, Alex K wrote: > > > > Hi Amos, > > > > On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries wrote: > > > > On 08/05/18 04:56, Alex K wrote: > > > Hi Amos, > > > > > > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote: > > > > > > On 08/05/18 00:24, Alex K wrote: > > > > Hi all, > > > > > > ... > > > > acl localhost src 192.168.200.1/32 > > > > > > 192.168.200.1 is assigned to your lo interface? > > > > > > Yes, this is the IP of one of the interfaces of the device at > the > > > network where the users use squid to reach Internet. > > > > > > > No, I mean specifically the interface named "lo" which has ::1 > and > > 127.0.0.0/8 assigned by the system. It has > > some special security > > properties like hardware restriction preventing globally > > routable IPs > > being used as dst-IP of packets even routed through it result in > > rejections. > > > > I have not assigned 192.168.200.1 at lo. It is assigned to an > > interface (eth3 for example). localhost is here misleading. it could > > say "proxy" > > Yes, it should be different. "localhost" ACL is used for some defaults. > What you are doing here is adding 192.168.200.1 to the ::! etc > definition of the predefined localhost ACL. > > > > > > > > > > > > > > > acl SSL_ports port 443 > > > > acl Safe_ports port 80 > > > > acl Safe_ports port 21 > > > > acl Safe_ports port 443 > > > > acl Safe_ports port 10080 > > > > acl Safe_ports port 10443 > > > > acl SSL method CONNECT > > > > > > The above can be quite deceptive, > > > > > > I removed port 21 as I don't think I am using FTP. > > > > > > > Sorry, I missed out the last half of that text. I was meaning > > the "SSL" > > ACL definition specifically. CONNECT method is not restricted to > SSL > > protocol even when all you are doing is intercepting port 443 > (think > > HTTP/2, WebSockets, QUIC, etc). It would be better to use the > > provided > > CONNECT ACL in place of "SSL" - they are identical in definition > and > > CONNECT is clearer to see if/when some access control is not as > > tightly > > restricted as "SSL" would make it seem. > > > > You mean remove "acl SSL method CONNECT" and leave only "acl > > CONNECT method CONNECT" ? > > > > Yes. Exactly so. > > Amos >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
