[squid-users] acl list ?

From: Anthony DeMatteis <adematteis_at_commspeed.net>
Date: Mon, 2 Feb 2009 10:13:32 -0700

Hello all,

I have a question regarding acls. I'm having some trouble with
TCP_DENIED/400 and TCP_DENIED/403 errors. Below you'll see my relevant
squid.conf info.

For clarification, we are a wireless ISP with about 12,000 subscribers.
Much of our network is on public ip space. It was built a long time ago
and has grown. So our squid server is on a public IP address. We have
many servers, some of which host user websites/forums as well as webmail
for our customers. When I use the "http_access deny all" after my other
acls defining our private and public networks, I get the TCP_DENIED
errors. Customers cannot access their website or webmail. When I look
at the access log, I see these ip address's with the errors coming from
off network. So I would deny, correct? The ports associated with the
errors (2982 3008 3012 3008 3004 3042) are also within the port ranges
allowed as you can see below. Or is what I see happening is that my
router is directing port 80 traffic, then squid says "hey, they don't'
meet any of the permitted networks, but they do meet acl all
0.0.0.0/0.0.0.0 so deny". But then that doesn't make sense either. My
"wccp web-cache redirect out" is placed on the "outgoing" interface of
the router. Having never worked with a squid cache server before, I'm a
little confused as to what I am seeing, what squid is doing, and what
squid is reporting. It what I am seeing related that fact that the
squid server is on a public IP address? Could I get a little
clarification here if possible? Thanks again.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl noc src 211.22.3.10/32
acl cache1 src 211.22.2.159/32
acl our_arizona_networks src 211.22.0.0/18
acl masq_networks src 10.5.0.0/18
acl our_iowa_network src 70.100.192.0/21
acl our_davenport1_network src 70.100.206.0/24
acl our_davenport2_network src 70.100.207.0/24
                                                    
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow manager cache1
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than safe SSL ports
http_access deny CONNECT !SSL_ports

# Deny Squid CONNECT to SMTP
http_access deny SMTP_port

http_access allow our_arizona_networks
http_access allow masq_networks
http_access allow our_iowa_networks
http_access allow our_davenport1_network
http_access allow our_davenport2_network

# I'VE OPENED IT UP BECAUSE OF THE ERRORS - NO DENIED ERRORS NOW!! (YUCK
- FIX ME!!!)
http_access allow all

# THIS IS WHAT I DID HAVE IN PLACE
# And finally deny all other access to this proxy
#http_access deny all

http_port 127.0.0.1:3128 transparent
http_port 211.22.2.159:3128 transparent
Received on Mon Feb 02 2009 - 17:13:35 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 03 2009 - 12:00:02 MST