LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Squid allow one IP on a particular port (https://www.linuxquestions.org/questions/linux-newbie-8/squid-allow-one-ip-on-a-particular-port-4175593695/)

antriksh 11-17-2016 02:12 AM

Squid allow one IP on a particular port
 
Hello. This is my squid configuration:

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

Now i want to allow URL http://213.145.166.138/ on port 81 (which is currently blocked) for everyone. Is it possible to configure it?

TB0ne 11-17-2016 07:30 AM

Quote:

Originally Posted by antriksh (Post 5631502)
Hello. This is my squid configuration:

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

Now i want to allow URL http://213.145.166.138/ on port 81 (which is currently blocked) for everyone. Is it possible to configure it?

Yes. These are called ACL's (which you already have). Did you try to look at the VERY ample Squid documentation?
http://wiki.squid-cache.org/SquidFaq/SquidAcl

...or try to put "how to configure squid to allow a website" into Google?
http://wiki.squid-cache.org/ConfigEx...nticate/Bypass

antriksh 11-17-2016 10:04 AM

Yes i looked into it.

Problem here is if i allow port 81 it will be allowed for any website. I want to allow only one website for port 81. I didn't find any acl combination for that.

TB0ne 11-18-2016 08:21 AM

Quote:

Originally Posted by antriksh (Post 5631617)
Yes i looked into it.
Problem here is if i allow port 81 it will be allowed for any website. I want to allow only one website for port 81. I didn't find any acl combination for that.

Must not have looked too hard. There are examples in the documentation, and AMPLE examples you can find with a Google search to allow only ONE website...this is no different.

Jjanel 11-18-2016 05:19 PM

A bit more 'hint' needed, sorry...
 
I wanted to learn a bit about squid from this Thread, but I seem to need a bit more 'clue' here.
Is that URL http://213.145.166.138/ *on your server* [dst] (or *from* a src)?
I tried hour of web-searches like: allow one|specific ip|dst access "to a port" squid
but kept getting confused by thinking http_access meant port 80 only [?]
As that first doc link begins by saying:
"Squid's access control scheme is relatively comprehensive and difficult for some people to understand."
Maybe [my **guess**] something like:
acl myport port 81
acl myaddr dst 213.145.166.138
http-access allow myport myaddr
(partly based on that doc's "And/Or logic" [under "Common Mistakes"])

Maybe try that & let us know. *logs*?! (again, that is *just my guess* & may be incorrect!)

A bit more of a hint/clue/more-specific-link-quotation/... from LQ'ers is welcome here. Thanks!

TB0ne 11-18-2016 06:08 PM

Quote:

Originally Posted by Jjanel (Post 5632153)
I wanted to learn a bit about squid from this Thread, but I seem to need a bit more 'clue' here.
Is that URL http://213.145.166.138/ *on your server* [dst] (or *from* a src)?
I tried hour of web-searches like: allow one|specific ip|dst access "to a port" squid
but kept getting confused by thinking http_access meant port 80 only [?]
As that first doc link begins by saying:
"Squid's access control scheme is relatively comprehensive and difficult for some people to understand."
Maybe [my **guess**] something like:
acl myport port 81
acl myaddr dst 213.145.166.138
http-access allow myport myaddr
(partly based on that doc's "And/Or logic" [under "Common Mistakes"])

Maybe try that & let us know. *logs*?! (again, that is *just my guess* & may be incorrect!) A bit more of a hint/clue/more-specific-link-quotation/... from LQ'ers is welcome here. Thanks!

You need to think about what squid IS and what it is designed to DO. It's a proxy server...all it does is handle web traffic. Allowing/disallowing ports is done in broad strokes, because you need to handle port-by-port access through your firewall/iptables/NAT. Either you allow port 81 through for ALL sites, or none. No way around it. You *CAN* easily NAT traffic to/from that address on port 81, to port 80, so as far as squid is concerned, all the HTTP traffic is staying on the default port.

afdm74 01-16-2019 02:01 PM

Quote:

Originally Posted by Jjanel (Post 5632153)
I wanted to learn a bit about squid from this Thread, but I seem to need a bit more 'clue' here.
Is that URL http://213.145.166.138/ *on your server* [dst] (or *from* a src)?
I tried hour of web-searches like: allow one|specific ip|dst access "to a port" squid
but kept getting confused by thinking http_access meant port 80 only [?]
As that first doc link begins by saying:
"Squid's access control scheme is relatively comprehensive and difficult for some people to understand."
Maybe [my **guess**] something like:
acl myport port 81
acl myaddr dst 213.145.166.138
http-access allow myport myaddr
(partly based on that doc's "And/Or logic" [under "Common Mistakes"])

Maybe try that & let us know. *logs*?! (again, that is *just my guess* & may be incorrect!)

A bit more of a hint/clue/more-specific-link-quotation/... from LQ'ers is welcome here. Thanks!

You just need to put your http-access declaration above the "http-access deny !Safe_ports". Thatīs all you got wrong...

TB0ne 01-17-2019 08:13 AM

Quote:

Originally Posted by afdm74 (Post 5949931)
You just need to put your http-access declaration above the "http-access deny !Safe_ports". Thatīs all you got wrong...

Right: that was done TWO YEARS AGO.


All times are GMT -5. The time now is 03:52 PM.