Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] OWA with squid 2.5 stable6, problem with connect
  • From: Philippe Vogel <filiaap@xxxxxxxxxx>
  • Date: Wed, 23 Mar 2005 13:05:05 +0100
  • Message-id: <42415B71.2020309@xxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dörfler Andreas schrieb:

> hi there,
>
> after reading multible sites over a long time i hope im getting
> help via this list, im running crazy here
>
> sheme:
>
> client (www) -> squid (www - public ip) -> firewall -> owa (lan -
> private ip)
>
> squid.conf:
>
> visible_hostname host.domain.tld https_port 443
> cert=/etc/squid/server.crt key=/etc/squid/server.key hosts_file
> /etc/squid/hosts http_port 127.0.0.1:8080
>
> httpd_accel_host srv066 httpd_accel_port 80
> httpd_accel_uses_host_header off httpd_accel_single_host on
> httpd_accel_with_proxy off
>
> acl acl_testmail dstdomain srv066 http_access allow acl_testmail
>
> acl to_index urlpath_regex /$ acl to_favicon urlpath_regex
> /favicon.ico$ acl to_exchange urlpath_regex /exchange http_access
> allow to_index http_access allow to_favicon http_access allow
> to_exchange
>
> acl all src 0.0.0.0/0.0.0.0 header_access Accept-Encoding deny all
> never_direct allow all http_access deny all
>
>
> when i try the connect via https://host.domain.tld, the following
> error ocoured:
>
> While trying to retrieve the URL: http://srv066
>
> The following error was encountered:
>
> * Unable to forward this request at this time.
>
> This request could not be forwarded to the origin server or to any
> parent caches. The most likely cause for this error is that:
>
> * The cache administrator does not allow this cache to make direct
> connections to origin servers, and * All configured parent caches
> are currently unreachable.
>
>
>
> its an urgent problem, so i hope getting help here
>
> greetings andy

What about port-acls?

#Recommended minimum configuration:
#acl all src 0.0.0.0/0.0.0.0
#acl manager proto cache_object
#acl localhost src 127.0.0.1/255.255.255.255
#acl SSL_ports port 443 563
#acl Safe_ports port 80 # http
#acl Safe_ports port 21 # ftp
#acl Safe_ports port 443 563 # https, snews
#acl Safe_ports port 70 # gopher
#acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
#acl Safe_ports port 280 # http-mgmt
#acl Safe_ports port 488 # gss-http
#acl Safe_ports port 591 # filemaker
#acl Safe_ports port 777 # multiling http
#acl CONNECT method CONNECT

Point #1: Before getting access to any port it is useful to get
correct acls for all used ports.

Point #2: Is there a listen-port configured to let your squid run on
https-port?

Point #3: Is there a reason in caching https-content as this is
insecure as https should not be cached!?

Point #4: I would do this with safe ports:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Philippe

- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQD1AwUBQkFbcUNg1DRVIGjBAQK1LAb/UNn/P17y73w3Jz/j1a54u0yJPryuia+j
U5TFbvm6kh3RUceCuUcDA7rSDZYkN6WxN6DHP7MH7AMdRoXDuRpWEjysWNOEijWm
yujDzrBaDbPwsSBGCXmw2fy5z5QvwQ6nVQ+i7zrvm8jiV8YCylpnKH1ISW7rIplg
gLbWX6v/FUBbg3ADoqgIKQJtnM1Nv7FtmjrWc484BZ2l1GQP5BPUi8ej2KT5lhEE
RpihRUxV5SHZavdQLsEnRcm8m5pbYmdQ4YMWcHbkLLZJxasbGElS/6oTl1z7Fq/l
VzTsG65+dbc=
=pWIK
-----END PGP SIGNATURE-----

< Previous Next >
References