RE: [squid-users] Blocked strings overriding permitted URL's

> -----Original Message-----
> From: Palula Brasil [mailto:palula@uol.com.br]
> Sent: Wednesday, February 01, 2006 1:29 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Blocked strings overriding permitted URL's
>
>
> Hi there everyone!
>
> I'm having a problem regarding my squid configuration.
> I read on the Visolve site that Squid reads the squid.conf
> line by line and
> that when it encounters a blocking line, it blocks but passes
> on through
> reading subsequent lines. And when it finds a line that matches a
> permission, stops right away.

From what I can see, Visolve still only has manuals for 2.4 and 3.0 (which is not production ready yet). Disregard their website as a source of information on 2.5. Squid will process access lists until it finds a matching entry (irrespective of whether it is an allow or deny), so you want to put your access lists in "specific" order (the more specific the match, the further up the chain it should be).

>
> My problem is that, based on this,

That is indeed the problem.

> I wrote all of my blocking
> rules above
> the permissive lines and all has been working fine util this
> problem I went
> through yesterday. I have a file called bad_strings.acl wich
> has a lot of
> words for squid to block (i.e. hacker, cracker, serialz,
> warez etc). And I
> have a file of permitted URL's (permitted.acl) wich contains
> URL's that
> should be Ok to access.
>
> The problem is that I tried to access www.hackerwatch.org
> yesterday and the
> hit was blocked. Anyway it should because hackerwatch has the
> string hacker
> on the URL. So I added www.hackerwatch to the permitted.acl
> (remember that
> squid reads all the blocking rules but passes on until it
> finds a positive)
> and still the site is being blocked.

Make a new acl using the dstdomain element such as...

acl allowed_sites dstdomain .hackerwatch.org

...and put the matching "http_access allow" line above the line denying access to the list of words.

>
> Can somebody help me out?
> Thanks a lot!
>
>

Chris
Received on Wed Feb 01 2006 - 12:55:42 MST