On Tue, 24 Feb 2004, Eric Kahklen wrote: > Now that I have my squid accelerator working, I need to tighten down my > ACL's. I am allowing SSL traffic in for the reverse proxying of OWA. I > am not offering any other proxying services. Any comments or > suggestions on improving/securing this would be appreciated. Here are > the ACL's I have that were combined with the default conf file: > > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT
A bit overkill for the above situation. > # Only allow cachemgr access from localhost > http_access allow manager localhost > http_access deny manager Ok. > # Deny requests to unknown ports > http_access deny !Safe_ports Ok if this was a Internet proxy. > # Deny CONNECT to other than SSL ports > http_access deny CONNECT !SSL_ports As above. > #MY ADDITIONS PER Squid The Definitive Guide - 2/23/04 > acl Exchangebox dst 10.0.0.5 > http_access allow Exchangebox > http_access deny all Ok. > # And finally deny all other access to this proxy > http_access allow localhost What is this? Clearly not what the comment claims. But you have already denied everything above so it can never get here. > # and finally allow by default > http_reply_access allow all Ok. Does not need to be specified. > #Allow ICP queries from everyone > icp_access allow all You don't want ICP in a reverse proxy. In fact I would recommend you to distable icp entirely (see icp_port). I would propose something like the following configuration for your reverse proxy: # Base ACLs acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl http protocol http acl port80 port 80 acl https protocol https acl port443 port 443 # Only allow cachemgr access from localhost acl manager proto cache_object http_access allow manager localhost http_access deny manager # Allow access to our servers acl Exchangebox dst 10.0.0.5 http_access allow https port443 Exchangebox [or if you are using Squid-3 with cache_peer based forwarding] acl Exchangebox dstdomain the.official.fqdn.requested.by.clients http_access allos https port443 Exchangebox # And finally deny all other access to this proxy http_access deny all # Disable ICP icp_port 0 Regards Henrik
