You can also add this to lock down the proxy after hours so nothing is used much like locking a door, whatever is inside is going to keep working ie connections already established however all new connections will be blocked. I love this one
acl block_hours time 00:30-05:00 ssl_bump terminate all block_hours http_access deny all block_hours however this is for use with ssl intercept and root certificates installed however it also works for spliced connections as it comes before everything else the terminate everything line you can also if you want to lock down to specific mac addresses ie small office home network use eui_lookup on Example of use with mac addresses acl splice_only src 192.168.1.8 #Tasha iPhone acl splice_only src 192.168.1.10 #Jon iPhone acl splice_only src 192.168.1.11 #Amazon Fire acl splice_only src 192.168.1.15 #Tasha HP acl splice_only src 192.168.1.16 #iPad acl splice_only_mac arp (unique 48bit hardware address here) acl splice_only_mac arp (unique 48bit hardware address here) acl splice_only_mac arp (unique 48bit hardware address here) acl splice_only_mac arp (unique 48bit hardware address here) acl splice_only_mac arp (unique 48bit hardware address here) acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump" acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump" acl markBumped annotate_client bumped=true acl active_use annotate_client active=true acl bump_only src 192.168.1.3 #webtv acl bump_only src 192.168.1.4 #toshiba acl bump_only src 192.168.1.5 #imac acl bump_only src 192.168.1.9 #macbook acl bump_only src 192.168.1.13 #dell acl bump_only_mac arp (unique 48bit hardware address here) acl bump_only_mac arp (unique 48bit hardware address here) acl bump_only_mac arp (unique 48bit hardware address here) acl bump_only_mac arp (unique 48bit hardware address here) acl bump_only_mac arp (unique 48bit hardware address here) ssl_bump peek step1 miss_access deny no_miss active_use ssl_bump splice https_login active_use ssl_bump splice splice_only_mac splice_only active_use (this works as “and logic” except my annotate active use) ssl_bump splice NoBumpDNS active_use ssl_bump splice NoSSLIntercept active_use ssl_bump bump bump_only_mac bump_only active_use acl activated note active_use true ssl_bump terminate !activated acl markedBumped note bumped true url_rewrite_access deny markedBumped > On Jun 6, 2024, at 12:08, Kevin <sq...@kretz.net> wrote: > > >> uri_whitespace encode > > > >Hmm. Accepting whitespace in URLs is a risky choice. One can never be > >completely sure how third-party agents in the network are handling it > >before the request arrived. > > > >If (big IF) you are able to use "uri_whitespace deny" this proxy would > >be a bit more secure. This is just a suggestion, you know best here. > > I think that was a workaround for a vulnerability. If it was, it may no > longer be needed. > > > > > >> acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com > >> http_access deny trellix_phone_cloud > >> external_acl_type host_based_filter children-max=15 ttl=0 0X0P+0CL >> acl > >> HostBasedRules external host_based_filter > >> http_access allow HostBasedRules > >> auth_param digest program /usr/lib/squid/digest_file_auth -c > >> /etc/squid/passwd > >> auth_param digest realm squid > >> auth_param digest children 2 > >> auth_param basic program /usr/lib/squid/basic_ncsa_auth > >> /etc/squid/basic_passwd > >> auth_param basic children 2 > >> auth_param basic realm squidb > >> auth_param basic credentialsttl 2 hours > > > >> acl auth_users proxy_auth REQUIRED > >> external_acl_type custom_acl_db children-max=15 ttl=0 0X0P+0CL >> acl > >> CustomAclDB external custom_acl_db > >> http_access allow CustomAclDB > > > > > >Hmm, this use of combined authentication+authorization is a bit tricky > >with two layers of asynchronous helper lookups going on. That alone > >might be what is going on with the weird 403's. > > > > > >A better sequence would be: > > > ># ensure login is performed > >http_access deny !auth_users > > > ># check the access permissions for whichever user logged in > >http_access allow CustomAclDB > > > The first call the the external_acl is to process unauthenticated requests. > Is the suggestion to replace > > acl auth_users proxy_auth REQUIRED > > with > > http_access deny !auth_users > > before the second external_acl (for authenticated requests)? > > > > > Thanks again, very much > > > Kevin > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users