Your access controls are very strange

> acl ACISNETWORK src 10.1.1.0/255.255.255.0
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80
> acl CONNECT method GET POST HEAD CONNECT PUT DELETE

> http_access allow manager localhost
> http_access deny manager
> http_access allow ACISNETWORK

The above allows any request from a client in your ACISNETWORK.
It even allows a user to make a CONNECT request to any port, such
as port 25.  That allows Squid to be used as a spam relay, and is
a very bad idea.

The rest of these ACLs apply only to request coming from somewhere
except ACISNETWORK.

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Since you rediefined CONNECT to include other methods, the above would
deny a GET request to port 80, for example.  Probably not what you want to
do.  You should leave the CONNECT acl with only the connect method.

> http_reply_access allow ACISNETWORK
> http_access deny ACISNETWORK

The above line is not necessary because any request that matches ACISNETWORK
was already allowed above and will never reach this point in the rules.

> icp_access deny ACISNETWORK
> http_access deny all
> icp_access deny all

I'm not really sure about your setup, but I think your ACL rules should probably
look like this:


        acl ACISNETWORK src 10.1.1.0/255.255.255.0
        acl all src 0.0.0.0/0.0.0.0
        acl manager proto cache_object
        acl localhost src 127.0.0.1/255.255.255.255
        acl to_localhost dst 127.0.0.0/8
        acl SSL_ports port 443 563
        acl Safe_ports port 80
        acl CONNECT method CONNECT

        http_access allow manager localhost
        http_access deny manager
        http_access deny CONNECT !SSL_ports
        http_access deny !Safe_ports
        http_access allow ACISNETWORK

You may want to add more ports to Safe_ports.  If you have users on other networks
(besides ACISNETWORK), you should make another ACL for that network and
allow it also.

Duane W.

Reply via email to