LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-09-2016, 05:11 AM   #1
usr345
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 179
Blog Entries: 1

Rep: Reputation: Disabled
Squid proxy doesn't deny all despite the directive


I have installed squid proxy on my Linux Slackware machine. I thought that it's configured to deny connections to all hosts by default as http_access deny all directive was used in my config file. But to my surprise it allows all. Why doesn't it deny all?

Code:
# squid -k parse
2016/10/09 12:52:05| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2016/10/09 12:52:05| Processing: acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
2016/10/09 12:52:05| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2016/10/09 12:52:05| Processing: acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
2016/10/09 12:52:05| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2016/10/09 12:52:05| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2016/10/09 12:52:05| Processing: acl SSL_ports port 443
2016/10/09 12:52:05| Processing: acl Safe_ports port 80         # http
2016/10/09 12:52:05| Processing: acl Safe_ports port 21         # ftp
2016/10/09 12:52:05| Processing: acl Safe_ports port 443                # https
2016/10/09 12:52:05| Processing: acl Safe_ports port 70         # gopher
2016/10/09 12:52:05| Processing: acl Safe_ports port 210                # wais
2016/10/09 12:52:05| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2016/10/09 12:52:05| Processing: acl Safe_ports port 280                # http-mgmt
2016/10/09 12:52:05| Processing: acl Safe_ports port 488                # gss-http
2016/10/09 12:52:05| Processing: acl Safe_ports port 591                # filemaker
2016/10/09 12:52:05| Processing: acl Safe_ports port 777                # multiling http
2016/10/09 12:52:05| Processing: acl CONNECT method CONNECT
2016/10/09 12:52:05| Processing: http_access deny !Safe_ports
2016/10/09 12:52:05| Processing: http_access deny CONNECT !SSL_ports
2016/10/09 12:52:05| Processing: http_access allow localhost manager
2016/10/09 12:52:05| Processing: http_access deny manager
2016/10/09 12:52:05| Processing: http_access deny to_localhost
2016/10/09 12:52:05| Processing: http_access allow localnet
2016/10/09 12:52:05| Processing: http_access allow localhost
2016/10/09 12:52:05| Processing: http_access deny all
2016/10/09 12:52:05| Processing: http_port 3128
2016/10/09 12:52:05| Processing: cache_dir ufs /var/cache/squid 256 16 256
2016/10/09 12:52:05| Processing: pid_filename /var/run/squid/squid.pid
2016/10/09 12:52:05| Processing: coredump_dir /var/log/squid/cache/squid
2016/10/09 12:52:05| Processing: refresh_pattern ^ftp:          1440    20%     10080
2016/10/09 12:52:05| Processing: refresh_pattern ^gopher:       1440    0%      1440
2016/10/09 12:52:05| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
2016/10/09 12:52:05| Processing: refresh_pattern .              0       20%     4320
2016/10/09 12:52:05| Processing: visible_hostname laptop
 
Old 10-09-2016, 09:55 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,891

Rep: Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883
Hi,

Quote:
...
2016/10/09 12:52:05| Processing: http_access allow localnet
2016/10/09 12:52:05| Processing: http_access allow localhost
2016/10/09 12:52:05| Processing: http_access deny all
...
The ACLs are read in sequence. As soon as one is met the next ones are ignored. See this for more.
So with the above configuration, squid at first allows access to anyone in localnet and ignores the next "http_access deny all"

Regards
 
Old 10-09-2016, 03:14 PM   #3
usr345
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 179

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
I removed this:

Code:
http_access allow localhost
and it started to block. I thought that it only allows http://localhost. Why did it allow everything?
 
Old 10-09-2016, 04:12 PM   #4
usr345
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 179

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
bathory, if you have rc.squid for Slackware - can you post it here. For some reason it wasn't installed for me from Slackbuild.
 
Old 10-10-2016, 12:31 AM   #5
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,891

Rep: Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883Reputation: 1883
Quote:
Originally Posted by usr345 View Post
bathory, if you have rc.squid for Slackware - can you post it here. For some reason it wasn't installed for me from Slackbuild.
I'm running squid compiled from source, so I use a simple custom made rc script. You may look at the attached file and change it to fit your needs

But if indeed there is no rc script in the squid slackbuild you should inform the maintainer, so he fixes it

Regards
Attached Files
File Type: txt rc.squid.txt (403 Bytes, 41 views)
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid proxy server configuration in rhel5 and deny deny accessing websites renjindd Linux - Newbie 1 09-09-2012 08:58 AM
How to configure Juniper SSG140 deny port 80&443 except Squid proxy !!! ducloiag Linux - Newbie 6 02-21-2011 01:16 AM
[SOLVED] Transparent Squid : Deny direct requests to proxy jma89 Linux - Server 3 07-12-2010 10:19 PM
Squid proxy allow/deny set of clients borganve Linux - Security 1 07-16-2009 08:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration