Avoid Locking Yourself When You Are Configuring Policies In Access Restrictions

From Secure Web Gateway
Revision as of 16:17, 13 December 2018 by Samidha12 (talk | contribs)
Jump to: navigation, search

Client Scenario

When you are trying to create policies in the Access Restrictions section of SafeSquid you may get locked out yourself. Solution to prevent yourself from those situations.

How the policies work

SafeSquid actually evaluates entries in the Access Restrictions one by one from top-down order matching each entry with the connection. Once a entry with an IP address or the user name matches a connection, the following entries will not be evaluated against that connection.

So once you are trying to create a entry in the Access Restrictions, always make sure that there is at least one entry which is going to allow you to access the web interface (http://safesquid.cfg/). This in other words means that there must be a entry that matches your connections and has Web interface (Config) selected from the Access field.


Consider a scenario where you have three entries in Allow list of Access Restrictions section

  • To access web interface via SSH tunnel.
  • To bypass authentication.
  • You're accessing the internet.

You have created another entry in which you have removed the Web interface in the Access field and added it. The entry is added as fourth one and you have moved it to 3rd by clicking on move up. Now the third entry matches your connections (since first is for SSH tunnels and second is for AUTHENTICATION BYPASS profile) in which you have disabled the Web interface. So you will be locked out and given a template Access Denied.

To avoid this kind of situation, you always need to maintain a entry that allows you to access the Web interface.

How to come out when you are locked yourself:

  • You have a couple of options to get of this situation. If you have a possibility to restart the SafeSquid service, just do a restart.

Check this Link for restarting SafeSquid from the terminal(Linux box).

  • If you do not have a choice to restart the service, take an SSH tunnel and access the interface and correct the entries.

Check this Link to access the Web interface by taking an SSH tunnel.