On Tue, 24 Feb 2004, Eric Kahklen wrote:

> Now that I have my squid accelerator working, I need to tighten down my
> ACL's. I am allowing SSL traffic in for the reverse proxying of OWA. I
> am not offering any other proxying services. Any comments or
> suggestions on improving/securing this would be appreciated. Here are
> the ACL's I have that were combined with the default conf file:
>
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT


A bit overkill for the above situation.

> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager


Ok.

> # Deny requests to unknown ports
> http_access deny !Safe_ports


Ok if this was a Internet proxy.

> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports


As above.

> #MY ADDITIONS PER Squid The Definitive Guide - 2/23/04
> acl Exchangebox dst 10.0.0.5
> http_access allow Exchangebox
> http_access deny all


Ok.

> # And finally deny all other access to this proxy
> http_access allow localhost


What is this? Clearly not what the comment claims. But you have already
denied everything above so it can never get here.

> # and finally allow by default
> http_reply_access allow all


Ok. Does not need to be specified.

> #Allow ICP queries from everyone
> icp_access allow all


You don't want ICP in a reverse proxy. In fact I would recommend you to
distable icp entirely (see icp_port).





I would propose something like the following configuration for your
reverse proxy:

# Base ACLs
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl http protocol http
acl port80 port 80
acl https protocol https
acl port443 port 443

# Only allow cachemgr access from localhost
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

# Allow access to our servers
acl Exchangebox dst 10.0.0.5
http_access allow https port443 Exchangebox

[or if you are using Squid-3 with cache_peer based forwarding]

acl Exchangebox dstdomain the.official.fqdn.requested.by.clients
http_access allos https port443 Exchangebox

# And finally deny all other access to this proxy
http_access deny all

# Disable ICP
icp_port 0



Regards
Henrik