[CentOS-es] Squid no respeta ACL's

Daniel danielog2073 en gmail.com
Mie Mayo 30 16:16:41 EDT 2012 

Entonces el orden de las líneas si afecta? Es como Iptables? Muchas gracias, Saludos

Daniel Ortiz Gutierrez 

El 30/05/2012, a las 14:49, Ernesto Pérez Estévez <centos en ecualinux.com> escribió:

> On 05/30/2012 02:15 PM, Daniel wrote:
>> Así? Ya corregí pero aun así Deja pasar todo.
>>>>>> acl manager proto cache_object
>>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>>> acl localnet src 10.1.0.0/17
>>>>>> acl google src 74.125.0.0/16
>>>>>> acl youtube srcdomain .youtube.com
>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>> http_access allow manager localhost
>>>>>> http_access deny manager
>>>>>> http_access allow localnet
>>>>>> http_access allow localhost
>>>>>> http_port 10.1.50.252:8080 intercept
>>>>     http_access deny google
>>>>     http_access deny youtube
>>>>     http_access deny youtube_2
>>>>     visible_hostname proxy.lsvp
> 
> ok, si ese es el orden, entonces no está bien, porque estás poniendo el 
> allow localnet delante de los deny, y siempre se irán por el allow entonces
> saludos
> epe
> 
> 
>> 
>> Daniel Ortiz Gutierrez
>> 
>> El 30/05/2012, a las 13:03, Ernesto Pérez Estévez<centos en ecualinux.com>  escribió:
>> 
>>> On 05/30/2012 12:55 PM, Daniel wrote:
>>>>>> acl manager proto cache_object
>>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>>> acl localnet src 10.1.0.0/17
>>>>>> acl google src 74.125.0.0/16
>>>>>> acl youtube srcdomain .youtube.com
>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>> http_access allow manager localhost
>>>>>> http_access deny manager
>>>>>> http_access allow localnet
>>>>>> http_access allow localhost
>>>>>> http_port 10.1.50.252:8080 intercept
>>>>     http_access deny google
>>>>     http_access deny youtube
>>>>     http_access deny youtube_2
>>>>     visible_hostname proxy.lsvp
>>>> 
>>>> Perdón no puse el archivo de configuración completo.
>>> ahora dudo de la posición del http_access (porque tú usas http_port
>>> aquí, parámetro que no comprendo)
>>> 
>>> 
>>>> 
>>>> Daniel Ortiz Gutierrez
>>>> 
>>>> El 30/05/2012, a las 12:33, Ernesto Pérez Estévez<centos en ecualinux.com>   escribió:
>>>> 
>>>>> On 05/30/2012 12:09 PM, Daniel wrote:
>>>>>> Saludos
>>>>>> 
>>>>>> Instale Squid 3.1 en un centos 6.2 minimo, con un "yum install squid"
>>>>>> este es el archivo de configuracion,
>>>>>> 
>>>>>> acl manager proto cache_object
>>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>>> acl localnet src 10.1.0.0/17
>>>>>> 
>>>>>> acl google src 74.125.0.0/16
>>>>>> acl youtube srcdomain .youtube.com
>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>> 
>>>>> quizá leí muy rápido, pero veo la ACL definida mas no el http_access
>>>>> para denegar o permitir lo que machee con esa acl
>>>>> 
>>>>>> 
>>>>>> http_access allow manager localhost
>>>>>> http_access deny manager
>>>>>> http_access allow localnet
>>>>>> http_access allow localhost
>>>>>> http_port 10.1.50.252:8080 intercept
>>>>>> 
>>>>>> acl google src 74.125.0.0/16
>>>>>> acl youtube srcdomain .youtube.com
>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> el problema es que no me respeta ninguna ACL, todo lo deja pasar lo e
>>>>>> intentado con otras direcciones para ver si es problema de https pero
>>>>>> incluso cuando pongo
>>>>>> 
>>>>>> acl all src all
>>>>>> http_access all deny
>>>>>> 
>>>>>> me sigue dejando navegar sin problemas, mis reglas de iptables son:
>>>>>> 
>>>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>>>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
>>>>>> 
>>>>>> el puerto 443 esta abierto por que no me estoy metiendo con https, por
>>>>>> el momento.
>>>>>> 
>>>>>> Saludos y espero alguien me pueda ayudar.
>>>>>> _______________________________________________
>>>>>> CentOS-es mailing list
>>>>>> CentOS-es en centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> This message has been scanned for viruses and
>>>>> dangerous content by MailScanner, and is
>>>>> believed to be clean.
>>>>> 
>>>>> _______________________________________________
>>>>> CentOS-es mailing list
>>>>> CentOS-es en centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>> _______________________________________________
>>>> CentOS-es mailing list
>>>> CentOS-es en centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>> 
>>> 
>>> 
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>> 
>>> _______________________________________________
>>> CentOS-es mailing list
>>> CentOS-es en centos.org
>>> http://lists.centos.org/mailman/listinfo/centos-es
>> _______________________________________________
>> CentOS-es mailing list
>> CentOS-es en centos.org
>> http://lists.centos.org/mailman/listinfo/centos-es
>> 
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es

Más información sobre la lista de distribución CentOS-es