27-Mar-02 at 09:26, Jeff Zimmerman (jeff@stjohnks.net) wrote :
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl localnet src 208.189.228.0/255.255.255.0
> acl SSL_ports port 443 563
> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost localnet
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow all
> icp_access allow all
>
Try this for the http_access lines:
http_access allow manager localhost
# note this is a protocol + userlist so you will only allow localnet to
# use the manager acl if like your config above
http_access deny manager # to stop localhost doing anything but "manager"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
NEVER allow all for http_access. Proxies are abused. You may firewall to
stop people getting to it from the outside, but I prefer just setting
those parameters in 2 places rather than one. More defences.
Does this help?
-- [Simon White. vim/mutt. simon@mtds.com. GIMPS:57.19% see www.mersenne.org] Not only does Jesus save, but he makes nightly off-site backups. [Arbitrary quotes signature rotation, a simple bash script by Simon White]Received on Wed Mar 27 2002 - 10:21:56 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:08 MST