[squid-users] Squid Allowing Sites Not In Any Allow List - Why?

Hello,
   
  I am having a problem with Squid allowing some
websites that are not
in any of our allow list. For example, I can get to
Nike.com, but there
is no such entry in any of my allow lists (not only
Nike.com, but
approximately 15-25% of websites I try that are not on
either of the
allow
lists). I have looked around the FAQ and Googled the
problem, but have
yet to find something similar.
   
  Here are some specs/code:
   
  ##########################
  # squid.conf #
  ##########################
   
  acl all src 0.0.0.0/0.0.0.0
  acl manager proto cache_object
  acl localhost src 127.0.0.1/255.255.255.255
  acl to_localhost dst 127.0.0.0/8
  acl SSL_ports port 443
  acl Safe_ports port 80 # http
  ## acl Safe_ports port 21 # ftp
  acl Safe_ports port 443 # https
  ## acl Safe_ports port 70 # gopher
  ## acl Safe_ports port 210 # wais
  ## acl Safe_ports port 1025-65535 # unregistered
ports
  acl Safe_ports port 280 # http-mgmt
  acl Safe_ports port 488 # gss-http
  ## acl Safe_ports port 591 # filemaker
  ## acl Safe_ports port 777 # multiling http
  acl CONNECT method CONNECT
   
  acl localnet proxy_auth REQUIRED src
xxx.xxx.xxx.xxx/16
  acl proxy_a_users external win_domain_group
group_proxy_a
  acl proxy_a_sites dstdom_regex [-i]
"c:/squid/lists/proxy_a_sites.txt"
  acl proxy_b_users external win_domain_group
group_proxy_b
  acl proxy_b_sites dstdom_regex [-i]
"c:/squid/lists/proxy_b_sites.txt"
   
  http_access allow proxy_a_users proxy_a_sites
  http_access allow proxy_b_users proxy_b_sites
  http_access deny all
   
   
  ###############################
  # proxy_a_sites.txt #
  ###############################
   
  .yahoo.com
.lycos.com
.google.com
.altavista.com
.ask.com
   
   
  ###############################
  # proxy_b_sites.txt #
  ###############################
  
.toyota.com
.honda.com
.nissan.com
.gm.com
.chevy.com
.ford.com

   
  ###############################
  # snippet from access.log #
  ###############################
   
  1172074611.894 172 xxx.xxx.xxx.xxx TCP_MISS/200
5422 GET
http://www.nike.com/renov/common/js/utils.js;bsessionid=JCVEUIMR31NY0CQFTC2CF4YKAWMLSIZB

DOMAIN\username DIRECT/72.246.72.212
application/x-javascript
1172074612.081 0 xxx.xxx.xxx.xxx TCP_DENIED/407
1836 GET
http://www.nike.com/renov/common/js/utils.js - NONE/-
text/html
1172074612.081 187 xxx.xxx.xxx.xxx TCP_MISS/200
3169 GET
http://www.nike.com/renov/nikeshell/common/v2/web/history.html?

DOMAIN\username DIRECT/72.246.72.212 text/html
1172074612.097 16 xxx.xxx.xxx.xxx TCP_DENIED/407
2058 GET
http://www.nike.com/renov/common/js/utils.js - NONE/-
text/html
1172074612.097 453 xxx.xxx.xxx.xxx TCP_MISS/200
6157 CONNECT
urs.microsoft.com:443 DOMAIN\username
DIRECT/65.55.195.252 -
1172074612.284 359 xxx.xxx.xxx.xxx TCP_MISS/200
1935 GET
http://www.nike.com/renov/nikeshell/common/v2/web/main.html

DOMAIN\username DIRECT/72.246.72.212 text/html
1172074612.347 250 xxx.xxx.xxx.xxx TCP_MISS/200
5421 GET
http://www.nike.com/renov/common/js/utils.js
DOMAIN\username
DIRECT/72.246.72.212 application/x-javascript
1172074612.363 579 xxx.xxx.xxx.xxx TCP_MISS/200
6167 CONNECT
urs.microsoft.com:443 DOMAIN\username
DIRECT/65.55.195.252 -
1172074612.738 329 xxx.xxx.xxx.xxx TCP_MISS/200
7267 GET
http://www.nike.com/renov/common/js/swfobject.js
DOMAIN\username
DIRECT/72.246.72.212 application/x-javascript
1172074612.753 390 xxx.xxx.xxx.xxx TCP_MISS/200
13481 GET
http://www.nike.com/renov/nikeshell/common/v2/web/javascriptflashgateway/javascriptflashgateway.js

DOMAIN\username DIRECT/72.246.72.212
application/x-javascript
1172074612.925 172 xxx.xxx.xxx.xxx TCP_MISS/200 724
GET
http://www.nike.com/renov/common/metrics/bluestreak.js
DOMAIN\username
DIRECT/72.246.72.212 application/x-javascript
1172074612.941 172 xxx.xxx.xxx.xxx TCP_MISS/200
2330 GET
http://www.nike.com/renov/nikeshell/common/v2/web/javascriptflashgateway/javascriptflashgateway.swf

DOMAIN\username DIRECT/72.246.72.212
application/x-shockwave-flash
1172074614.300 1359 xxx.xxx.xxx.xxx TCP_MISS/200
100033 GET
http://www.nike.com/renov/nikeshell/common/v2/web/framework.swf

DOMAIN\username DIRECT/72.246.72.212
application/x-shockwave-flash
1172074614.566 266 xxx.xxx.xxx.xxx TCP_MISS/200
4272 GET
http://www.nike.com/favicon.ico DOMAIN\username
DIRECT/72.246.72.212
text/plain
1172074614.691 250 xxx.xxx.xxx.xxx TCP_MISS/200
5856 GET
http://fpdownload.macromedia.com/pub/flashplayer/update/current/swf/autoUpdater.swf?

DOMAIN\username DIRECT/72.246.90.70
application/x-shockwave-flash
1172074614.831 140 xxx.xxx.xxx.xxx TCP_MISS/200 457
GET
http://fpdownload.macromedia.com/get/flashplayer/update/current/xml/express/version_win_ax.xml?

DOMAIN\username DIRECT/72.246.90.70 text/xml
1172074615.128 0 xxx.xxx.xxx.xxx TCP_DENIED/407
1770 CONNECT
www.macromedia.com:443 - NONE/- text/html
1172074615.144 16 xxx.xxx.xxx.xxx TCP_DENIED/407
1992 CONNECT
www.macromedia.com:443 - NONE/- text/html
1172074621.878 0 xxx.xxx.xxx.xxx TCP_DENIED/407
1791 CONNECT
fpdownload.macromedia.com:443 - NONE/- text/html
1172074621.894 0 xxx.xxx.xxx.xxx TCP_DENIED/407
2013 CONNECT
fpdownload.macromedia.com:443 - NONE/- text/html
1172074645.191 157 xxx.xxx.xxx.xxx TCP_MISS/200 688
GET
http://www.nike.com/services/yellowPageService.xml?
DOMAIN\username
DIRECT/72.246.72.212 text/xml
   
  Running Squid 2.6STABLE9 on a M$ box (long story).
The users appear
to authenticate correctly, and in a very limited way
Squid is
functioning. After reading, I cannot find a similar
case where Squid is
allowing
things that don't exist in a allow list, and with this
small of a test
ACL list/user group, I don't think it is an ACL
problem or confliction.
   
  Any ideas or help would be greatly appreciated.
Thanks.

 
____________________________________________________________________________________
No need to miss a message. Get email on-the-go
with Yahoo! Mail for Mobile. Get started.
http://mobile.yahoo.com/mail
Received on Wed Feb 21 2007 - 19:01:38 MST