Re: [squid-users] Blocking Orkut (https problem)

From: Chris Robertson <crobertson@dont-contact.us>
Date: Tue, 17 Oct 2006 15:34:00 -0800

Palula Brasil wrote:
> Here is the config for my acls:
>
> acl all src 0/0
> acl minha_rede src x.x.x.x/24 (My LAN IP's)
> acl lan_bloqueada src "/etc/squid/int_blocked_ips.acl"
> acl lan_liberada src "/etc/squid/int_permit_ips.acl"
> acl bad_strings url_regex -i "/etc/squid/bad_strings.acl"
> acl bad_ips dst "/etc/squid/bad_ips.acl"
> acl bad_sites dstdomain "/etc/squid/bad_sites.acl"
> acl bad_files urlpath_regex "/etc/squid/bad_files.acl"
> acl good_strings url_regex -i "/etc/squid/good_strings.acl"
> acl good_sites dstdomain "/etc/squid/permitted.acl"
> acl unproductive dstdomain "/etc/squid/unproductive.acl"
> acl unprod_strings url_regex -i "/etc/squid/unprod_strings.acl"
> acl trabalho time MTWHF 12:00-13:30
> acl nao_trabalho time SA
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl ssl_ports port 443 563
> acl CONNECT method CONNECT
>
> acl safe_ports port 80 # http
> acl safe_ports port 21 # ftp
> acl safe_ports port 443 # https
> acl safe_ports port 563 # snews
> acl safe_ports port 70 # gopher
> acl safe_ports port 210 # wais
> acl safe_ports port 1025-65535 # unregistered ports
> acl safe_ports port 280 # http-mgmt
> acl safe_ports port 488 # gss-http
> acl safe_ports port 591 # filemaker
> acl safe_ports port 777 # multiling http
>
> And here is the order of the ACL's
>
> #http_access deny lan_bloqueada
> http_access deny bad_sites !good_sites
> http_access deny bad_strings !good_strings
> http_access deny bad_ips
> http_access deny bad_files
> #http_access deny trabalho !nao_trabalho unproductive
> #http_access deny trabalho !nao_trabalho unprod_strings
> http_access deny CONNECT !ssl_ports
> http_access allow safe_ports
> http_access allow manager localhost
> http_access deny manager
> http_access allow minha_rede
>
> http_access deny all
>
> The place where I put orkut to be blocked is in the bad_sites acl.
> Thank you.
>
>
Can you give an example of the bad_sites file? Are you specifically
blocking www.orkut.com or are you blocking .orkut.com (note the leading
period)? Are you sure it's not also in the good_sites file?

Also, you might want to change the "http_access allow minha_rede" to
"http_access deny !minha_rede" and put it above any of the "http_access
allow" lines. Otherwise, "http_access allow safe_ports" matches will
let anyone surf to sites that are not explicitly blocked regardless of
where they are coming from.

Chris
Received on Tue Oct 17 2006 - 17:34:40 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST