Hi Niall,
If it's a serious squid box I'd suggest moving to 2.4, it's a lot more
stable. As for the ACLs this should explain it a bit better than
squid.conf.
http://squid.visolve.com/squid24s1/access_controls.htm
Now for the specifiy version version:
acl localhost src 127.0.0.1/255.255.255.255
acl manager proto cache_object
http_access allow manager localhost
This defines 2 ACLs, then allow access when both are satisfied (coming
from localhost for protocol cache_object). If you want to browse from
localhost you can just add in the following:
http_access allow localhost
Hope this clears it up,
Fergus.
Niall O Broin wrote:
>> I'm in the process of upgrading my main box to SuSE 7.1 (yes, thank you, I
> know 7.2 is out now) and it's hurting my head in numerous ways. The latest
> is Squid. I've installed Squid 2.3 and have it pointing to my existing squid
> cache directory. I have a squid configuration file with acls defined like
>> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl localnet src 192.168.1.0/255.255.255.0
> acl SSL_ports port 443 563
> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>> and http_access rules like
>> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> #
> http_access allow localnet
> http_access deny all
>> yet it didn't allow access to the box it's running on. I fixed this by
> adding in a line with
>> http_access allow localhost
>> but why doesn't the line
>> http_access allow manager localhost
>> allow this ? Does that line mean
>> allow access for protocol cache_object from source localhost
>> or does it mean
>> allow access for protocol cache_object, source localhost
>> I seem to have very little squid documentation, and the sample configuration
> file says
>> http_access allow|deny [!]aclname ...
>> but there's no indication as to what the ellipsis means here - does it mean
> that access will be allowed/denied to a list of acls, or only to traffic
> matching all the acls specified. Does ... mean union or intersection in this
> case ? I'd normally take it to mean union, but in this case it seems to mean
> intersection.
>> Regards,
>> Niall
>> --
> Irish Linux Users' Group: ilug at linux.ie>http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
> List maintainer: listmaster at linux.ie
--
Eolach - Ireland's leading Open Source consultancy
email: info at eolach.com web: http://www.eolach.com
tel: (+353) 1 874 0510 fax: (+353) 1 874 0515
newsletter: http://www.eolach.com/open-source-news
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
