On 26/06/17 20:46, Vieri wrote:
Hi,
I'd like to allow by default and deny only according to the ACLs I define.
Here's an example with Telegram. I'd like to deny all application/octet-stream
mime types in requests and replies except for a set of IP addresses or domains.
Er, deny is the opposite of allow. So your "example" is to demonstrate
the _opposite_ of what you want?
Not to mention that what you want is the opposite of a well-known
Security Best-Practice. Well, your call, but when things go terribly
wrong don't say you weren't warned.
Anyhow ...
acl denied_restricted1_mimetypes_req req_mime_type -i
"/usr/local/proxy-settings/denied.restricted1.mimetypes"
acl denied_restricted1_mimetypes_rep rep_mime_type -i
"/usr/local/proxy-settings/denied.restricted1.mimetypes"
acl allowed_restricted1_domains dstdomain -i
"/usr/local/proxy-settings/allowed.restricted1.domains"
acl allowed_restricted1_ips dst
"/usr/local/proxy-settings/allowed.restricted1.ips"
http_access deny denied_restricted1_mimetypes_req !allowed_restricted1_domains
!allowed_restricted1_ips
http_reply_access deny denied_restricted1_mimetypes_rep
!allowed_restricted1_domains !allowed_restricted1_ips
A line of ACLS is an "AND" condition:
http_access deny (if) X (and) Y (and) Z
This configuration will deny the mime types except when they come from
certain IPs *AND* are going to certain domains.
To enact your stated policy you need to do it this way:
http_access allow allowed_restricted1_domains \
denied_restricted1_mimetypes_req
http_access allow allowed_restricted1_ips \
denied_restricted1_mimetypes_req
http_access deny denied_restricted1_mimetypes_req
.. same sort of thing for the reply lines.
# cat /usr/local/proxy-settings/allowed.restricted1.domains
.telegram.org
# cat /usr/local/proxy-settings/allowed.restricted1.ips
149.154.167.91
149.154.165.120
# cat /usr/local/proxy-settings/denied.restricted1.mimetypes
^application/octet-stream$
I see this in access.log:
1498463484.530 413 10.215.144.237 TCP_DENIED_REPLY/403 4085 POST
http://149.154.165.120/api - ORIGINAL_DST/149.154.165.120 text/html
I searched for the relevant parts in cache.log:
<snip>
I see 2 apparently contradictory log messages (well, for me that is -- I'm
still learning how to read the log):
The reply for POST http://149.154.165.120/api is DENIED, because it matched
allowed_restricted1_ips
The reply for POST http://149.154.165.120/api is ALLOWED, because it matched
allowed_restricted1_ips
Why is this happening?
The servers reply (application/octet-stream) is being denied, and the
Squid generated error page (text/html) is being allowed.
When a default / implicit action is being done the "matched X" shows the
name of the last ACL processed - that ACL non-matching was the reason
for the default/implicit action happening.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
