[squid-users] RE: SUMMARY [squid-users] Access denied to localhost! from Jez Ahl on 2001-11-30 (squid-users)

From: Jez Ahl <Jez@dont-contact.us>
Date: Fri, 30 Nov 2001 16:59:31 -0000

FWIW,

I have tried this same config with both 2.3STABLE4 (works), and 2.3STABLE5
(doesn't work).
Turns out to be a bug fix in 2.3STABLE5 to do with not allowing proxy
requests in accel only mode.

See:-

http://www.squid-cache.org/Versions/v2/2.3/bugs/#squid-2.3.stable4-accel_onl
y_access

If your request doesn't start with a "/", then squid treats the request as a
proxy request rather than an accel request.
Hence if you request http://a.b.com/something you will fail, but if you
request /something (with "host:a.b.com" in the request header), then it
works.

Jez

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@marasystems.com]
> Sent: 26 November 2001 15:31
> To: Jez Ahl; 'squid-users@squid-cache.org'
> Subject: Re: [squid-users] Access denied to localhost!
>
>
> Your config looks fine to me, but quite insecure for an
> accelerator setup..
>
> Please verify using cachemgr that the running configuration
> matches what you
> expect.
>
>
> I would use something like:
>
> acl CONNECT method CONNECT
> http_access deny CONNECT
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1
> acl PURGE method PURGE
> http_access allow manager localhost
> http_access allow PURGE localhost
>
> acl myservers dst x.y.z.n x.y.z.m ...
> acl HTTP proto http
> acl port_80 port 80
> http_access allow HTTP myservers port_80
>
> acl all src 0.0.0.0/0
> http_access deny all
>
> Regards
> Henrik Nordström
>
>
> On Monday 26 November 2001 15.59, Jez Ahl wrote:
> > Hi,
> >
> > Can anyone help me with this problem please?
> > I have to boxes with squid in reverse mode, with the
> following config:-
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 21 443 563 70 210 1025-65535
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > acl PURGE method PURGE
> >
> > #Default configuration:
> > http_access allow manager localhost
> > http_access allow PURGE
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > #http_access deny all
> > http_access allow all
> >
> >
> > On one of the boxes, if I do "client -m GET -p 80
http://whatever", I
> get access denied, on the other it works.
>
> Cache log on the failed one (2.3.STABLE5) says:-
> 2001/11/26 12:51:36| The request GET http://whatever is DENIED, because
> it matched 'all'
>
> Cache log on the successful one (2.3.STABLE2) says:-
> 2001/11/26 12:51:36| The request GET http://whatever is ALLOWED, because
> it matched 'all'
>
> Any ideas ?
>
> Thanks in advance
>
> jez

-- 
MARA Systems AB
Giving you basic free Squid support
Priority support or Squid enhancements available on request

Received on Fri Nov 30 2001 - 10:00:11 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:44 MST