[CentOS-es] Squid no respeta ACL's

Edg@r Rodolfo edgarr789 en gmail.com
Jue Mayo 31 02:56:22 EDT 2012


El 30/05/12, Daniel <danielog2073 en gmail.com> escribió:
> Entonces el orden de las líneas si afecta? Es como Iptables? Muchas gracias,
> Saludos

Hola, para squid el archivo te indica dónde poner la reglas, por
ejemplo yo siempre pongo mis ACLS al  final de todas las acls (que ya
estan) y los http_access donde dice INSERT YOUR RULES HERE, ahí
abajito pongo y nunca tuve problemas :), espero no tenerlos...

>
> Daniel Ortiz Gutierrez
>
> El 30/05/2012, a las 14:49, Ernesto Pérez Estévez <centos en ecualinux.com>
> escribió:
>
>> On 05/30/2012 02:15 PM, Daniel wrote:
>>> Así? Ya corregí pero aun así Deja pasar todo.
>>>>>>> acl manager proto cache_object
>>>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>>>> acl localnet src 10.1.0.0/17
>>>>>>> acl google src 74.125.0.0/16
>>>>>>> acl youtube srcdomain .youtube.com
>>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>>> http_access allow manager localhost
>>>>>>> http_access deny manager
>>>>>>> http_access allow localnet
>>>>>>> http_access allow localhost
>>>>>>> http_port 10.1.50.252:8080 intercept
>>>>>     http_access deny google
>>>>>     http_access deny youtube
>>>>>     http_access deny youtube_2
>>>>>     visible_hostname proxy.lsvp
>>
>> ok, si ese es el orden, entonces no está bien, porque estás poniendo el
>> allow localnet delante de los deny, y siempre se irán por el allow
>> entonces
>> saludos
>> epe
>>
>>
>>>
>>> Daniel Ortiz Gutierrez
>>>
>>> El 30/05/2012, a las 13:03, Ernesto Pérez Estévez<centos en ecualinux.com>
>>> escribió:
>>>
>>>> On 05/30/2012 12:55 PM, Daniel wrote:
>>>>>>> acl manager proto cache_object
>>>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>>>> acl localnet src 10.1.0.0/17
>>>>>>> acl google src 74.125.0.0/16
>>>>>>> acl youtube srcdomain .youtube.com
>>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>>> http_access allow manager localhost
>>>>>>> http_access deny manager
>>>>>>> http_access allow localnet
>>>>>>> http_access allow localhost
>>>>>>> http_port 10.1.50.252:8080 intercept
>>>>>     http_access deny google
>>>>>     http_access deny youtube
>>>>>     http_access deny youtube_2
>>>>>     visible_hostname proxy.lsvp
>>>>>
>>>>> Perdón no puse el archivo de configuración completo.
>>>> ahora dudo de la posición del http_access (porque tú usas http_port
>>>> aquí, parámetro que no comprendo)
>>>>
>>>>
>>>>>
>>>>> Daniel Ortiz Gutierrez
>>>>>
>>>>> El 30/05/2012, a las 12:33, Ernesto Pérez Estévez<centos en ecualinux.com>
>>>>>   escribió:
>>>>>
>>>>>> On 05/30/2012 12:09 PM, Daniel wrote:
>>>>>>> Saludos
>>>>>>>
>>>>>>> Instale Squid 3.1 en un centos 6.2 minimo, con un "yum install
>>>>>>> squid"
>>>>>>> este es el archivo de configuracion,
>>>>>>>
>>>>>>> acl manager proto cache_object
>>>>>>> acl localhost src 127.0.0.1/32 ::1
>>>>>>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>>>>>>> acl localnet src 10.1.0.0/17
>>>>>>>
>>>>>>> acl google src 74.125.0.0/16
>>>>>>> acl youtube srcdomain .youtube.com
>>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>>>
>>>>>> quizá leí muy rápido, pero veo la ACL definida mas no el http_access
>>>>>> para denegar o permitir lo que machee con esa acl
>>>>>>
>>>>>>>
>>>>>>> http_access allow manager localhost
>>>>>>> http_access deny manager
>>>>>>> http_access allow localnet
>>>>>>> http_access allow localhost
>>>>>>> http_port 10.1.50.252:8080 intercept
>>>>>>>
>>>>>>> acl google src 74.125.0.0/16
>>>>>>> acl youtube srcdomain .youtube.com
>>>>>>> acl youtube_2 srcdom_regex -i \.youtube\.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> el problema es que no me respeta ninguna ACL, todo lo deja pasar lo
>>>>>>> e
>>>>>>> intentado con otras direcciones para ver si es problema de https
>>>>>>> pero
>>>>>>> incluso cuando pongo
>>>>>>>
>>>>>>> acl all src all
>>>>>>> http_access all deny
>>>>>>>
>>>>>>> me sigue dejando navegar sin problemas, mis reglas de iptables son:
>>>>>>>
>>>>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
>>>>>>> 8080
>>>>>>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
>>>>>>>
>>>>>>> el puerto 443 esta abierto por que no me estoy metiendo con https,
>>>>>>> por
>>>>>>> el momento.
>>>>>>>
>>>>>>> Saludos y espero alguien me pueda ayudar.
>>>>>>> _______________________________________________
>>>>>>> CentOS-es mailing list
>>>>>>> CentOS-es en centos.org
>>>>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> This message has been scanned for viruses and
>>>>>> dangerous content by MailScanner, and is
>>>>>> believed to be clean.
>>>>>>
>>>>>> _______________________________________________
>>>>>> CentOS-es mailing list
>>>>>> CentOS-es en centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>>> _______________________________________________
>>>>> CentOS-es mailing list
>>>>> CentOS-es en centos.org
>>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>>>
>>>>
>>>>
>>>> --
>>>> This message has been scanned for viruses and
>>>> dangerous content by MailScanner, and is
>>>> believed to be clean.
>>>>
>>>> _______________________________________________
>>>> CentOS-es mailing list
>>>> CentOS-es en centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>> _______________________________________________
>>> CentOS-es mailing list
>>> CentOS-es en centos.org
>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> _______________________________________________
>> CentOS-es mailing list
>> CentOS-es en centos.org
>> http://lists.centos.org/mailman/listinfo/centos-es
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
>


Más información sobre la lista de distribución CentOS-es