From: amosjeffries <> Date: Tue, 16 Oct 2007 18:56:51 +0000 (+0000) Subject: Alter policy of ICP and HTCP access to default allow only local networks X-Git-Tag: SQUID_3_0_STABLE1~73 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee776778fb067fbc0152d242dbc93a0df299b78b;p=thirdparty%2Fsquid.git Alter policy of ICP and HTCP access to default allow only local networks Modifies both icp_access and htcp_access from recommended 'allow all' to a default 'deny !localnet' with a fallback default 'deny all' if the recommended icp/htcp access are removed or commented out. Adds localnet acl by default the RFC1918 reserved private space to support the use of localnet acl in the above. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index db7ed21b0b..9a2b42541f 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.481 2007/10/13 06:57:40 amosjeffries Exp $ +# $Id: cf.data.pre,v 1.482 2007/10/16 12:56:51 amosjeffries Exp $ # # SQUID Web Proxy Cache http://www.squid-cache.org/ # ---------------------------------------------------------- @@ -600,10 +600,18 @@ acl javascript rep_mime_type -i ^application/x-javascript$ NOCOMMENT_START #Recommended minimum configuration: -acl all src 0.0.0.0/0.0.0.0 +acl all src all acl manager proto cache_object -acl localhost src 127.0.0.1/255.255.255.255 +acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 +# +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +# acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp @@ -660,11 +668,10 @@ http_access deny CONNECT !SSL_ports # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS -# Example rule allowing access from your local networks. Adapt -# to list your (internal) IP networks from where browsing should -# be allowed -#acl our_networks src 192.168.1.0/24 192.168.2.0/24 -#http_access allow our_networks +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet # And finally deny all other access to this proxy http_access deny all @@ -702,8 +709,8 @@ DOC_START See http_access for details NOCOMMENT_START -#Allow ICP queries from everyone -icp_access allow all +#Allow ICP queries from local networks only +icp_access deny !localnet NOCOMMENT_END DOC_END @@ -725,8 +732,10 @@ DOC_START deny all traffic. This default may cause problems with peers using the htcp or htcp-oldsquid options. -#Allow HTCP queries from everyone -htcp_access allow all +NOCOMMENT_START +#Allow HTCP queries from local networks only +htcp_access deny !localnet +NOCOMMENT_END DOC_END NAME: htcp_clr_access