[CentOS-es] Squid no respeta ACL's

Ernesto Pérez Estévez centos en ecualinux.com
Mie Mayo 30 15:49:50 EDT 2012 

On 05/30/2012 02:15 PM, Daniel wrote:
> Así? Ya corregí pero aun así Deja pasar todo.
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>> acl localnet src 10.1.0.0/17
>>>>> acl google src 74.125.0.0/16
>>>>> acl youtube srcdomain .youtube.com
>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>> http_access allow manager localhost
>>>>> http_access deny manager
>>>>> http_access allow localnet
>>>>> http_access allow localhost
>>>>> http_port 10.1.50.252:8080 intercept
>>>      http_access deny google
>>>      http_access deny youtube
>>>      http_access deny youtube_2
>>>      visible_hostname proxy.lsvp

ok, si ese es el orden, entonces no está bien, porque estás poniendo el 
allow localnet delante de los deny, y siempre se irán por el allow entonces
saludos
epe


>
> Daniel Ortiz Gutierrez
>
> El 30/05/2012, a las 13:03, Ernesto Pérez Estévez<centos en ecualinux.com>  escribió:
>
>> On 05/30/2012 12:55 PM, Daniel wrote:
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>> acl localnet src 10.1.0.0/17
>>>>> acl google src 74.125.0.0/16
>>>>> acl youtube srcdomain .youtube.com
>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>> http_access allow manager localhost
>>>>> http_access deny manager
>>>>> http_access allow localnet
>>>>> http_access allow localhost
>>>>> http_port 10.1.50.252:8080 intercept
>>>      http_access deny google
>>>      http_access deny youtube
>>>      http_access deny youtube_2
>>>      visible_hostname proxy.lsvp
>>>
>>> Perdón no puse el archivo de configuración completo.
>> ahora dudo de la posición del http_access (porque tú usas http_port
>> aquí, parámetro que no comprendo)
>>
>>
>>>
>>> Daniel Ortiz Gutierrez
>>>
>>> El 30/05/2012, a las 12:33, Ernesto Pérez Estévez<centos en ecualinux.com>   escribió:
>>>
>>>> On 05/30/2012 12:09 PM, Daniel wrote:
>>>>> Saludos
>>>>>
>>>>> Instale Squid 3.1 en un centos 6.2 minimo, con un "yum install squid"
>>>>> este es el archivo de configuracion,
>>>>>
>>>>> acl manager proto cache_object
>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>> acl localnet src 10.1.0.0/17
>>>>>
>>>>> acl google src 74.125.0.0/16
>>>>> acl youtube srcdomain .youtube.com
>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>
>>>> quizá leí muy rápido, pero veo la ACL definida mas no el http_access
>>>> para denegar o permitir lo que machee con esa acl
>>>>
>>>>>
>>>>> http_access allow manager localhost
>>>>> http_access deny manager
>>>>> http_access allow localnet
>>>>> http_access allow localhost
>>>>> http_port 10.1.50.252:8080 intercept
>>>>>
>>>>> acl google src 74.125.0.0/16
>>>>> acl youtube srcdomain .youtube.com
>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> el problema es que no me respeta ninguna ACL, todo lo deja pasar lo e
>>>>> intentado con otras direcciones para ver si es problema de https pero
>>>>> incluso cuando pongo
>>>>>
>>>>> acl all src all
>>>>> http_access all deny
>>>>>
>>>>> me sigue dejando navegar sin problemas, mis reglas de iptables son:
>>>>>
>>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
>>>>>
>>>>> el puerto 443 esta abierto por que no me estoy metiendo con https, por
>>>>> el momento.
>>>>>
>>>>> Saludos y espero alguien me pueda ayudar.
>>>>> _______________________________________________
>>>>> CentOS-es mailing list
>>>>> CentOS-es en centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>>>
>>>>
>>>>
>>>> --
>>>> This message has been scanned for viruses and
>>>> dangerous content by MailScanner, and is
>>>> believed to be clean.
>>>>
>>>> _______________________________________________
>>>> CentOS-es mailing list
>>>> CentOS-es en centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>> _______________________________________________
>>> CentOS-es mailing list
>>> CentOS-es en centos.org
>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> _______________________________________________
>> CentOS-es mailing list
>> CentOS-es en centos.org
>> http://lists.centos.org/mailman/listinfo/centos-es
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Más información sobre la lista de distribución CentOS-es