6

I'm trying to configure Squid3 proxy server that any IP address on the internet can access, but default settings horrible and whatever I do it keeps giving TCP_DENIED/403

What's the minimum config that enables me:

  • Any IP address can access
  • All out ports are accessible
  • SSL + CONNECT enabled

I'll then start implementing further features, however right now I keep getting this error in all configurations I've tried.

dr. evil
  • 81
  • 1
  • 1
  • 6
  • 5
    This sounds like a Really Bad Idea. And I'm having a lot of difficulty coming up with a scenario where we might do this in a **professional** environment. – Michael Hampton Jun 10 '13 at 17:29
  • 2
    Does ServerFault require that all questions relate to a professional environment? – Paul Gear Jun 14 '13 at 00:24
  • @PaulGear http://serverfault.com/help/on-topic - so, yes. – Nathan C Jun 16 '13 at 22:23
  • Fair enough. That reduces the likelihood that this is on-topic. ;-) – Paul Gear Jun 17 '13 at 06:53
  • 2
    @MichaelHampton "Professionals" can't run proxy businesses now? – TheLQ Jun 17 '13 at 17:16
  • @TheLQ Professional proxy businesses don't have wide open proxies. That just invites abuse and will likely result in immediate blacklisting by RBLs and such. – Nathan C Jun 18 '13 at 11:22
  • My two cents - I could see where you own a firewall and DMZ and POST the DMZ you don't want to care/bother with setting up yet-another seemingly pointless security check that has cost structure associated to maintaining. Specifically - you maybe on EC2 with security groups that block all but specific IPs, and then also have a VIP, but INSIDE your protected network, you want anybody to have access to a proxy. However, this is a very small edge case. – terrance.a.snyder Apr 15 '16 at 17:25

2 Answers2

9

Although a Really Bad Idea™, just add acl all src all to the top of your ACL list.

Again, this is not a good idea whatsoever.

Nathan C
  • 15,059
  • 4
  • 43
  • 62
7

Like the other posters, i'm going to call this a bad idea until proven otherwise (although i can think of a couple of good reasons to do it).

Instead of the acl suggested by Nathan C i'd suggest:

  • http_access allow all (instead of http_access deny all, which is the default)
  • acl Safe_ports port 1-65535 (instead of the Safe_ports entries in the default config)
  • acl SSL_ports port 1-65535 (instead of the SSL_ports entries in the default config)
  • If you're trying to create an anonymised service, set forwarded_for off and via off.

Again, do you really want to do this?

Paul Gear
  • 4,367
  • 19
  • 38