RE: [squid-users] New Setup help from Jim Lawrence on 2009-02-23 (squid-users)

From: Jim Lawrence <jim_at_pointnclickpcs.com>
Date: Mon, 23 Feb 2009 18:47:11 -0500

Current config

http_port 192.168.31.3:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_dir ufs /var/spool/squid 1000 16 256
access_log /var/log/squid/access.log squid
dns_nameservers 192.168.31.11
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
acl good_url dstdomain "/etc/squid/allowed_sites.squid"
acl pnc_network src 192.168.31.0/255.255.255.0
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow good_url
http_access deny all
visible_hostname VIRT1
coredump_dir /var/spool/squid

[root_at_VIRT1 ~]# tail -12 /var/log/squid/access.log
1235431489.584 1 192.168.31.12 TCP_DENIED/403 1420 GET
http://mail.google.com/mail/channel/test? - NONE/- text/html
1235431489.599 0 192.168.31.12 TCP_DENIED/403 1434 GET
http://mail.google.com/mail/images/cleardot.gif? - NONE/- text/html
1235431513.168 0 192.168.31.12 TCP_DENIED/403 1382 GET
http://www.google.com/ - NONE/- text/html
1235431526.782 0 192.168.31.12 TCP_DENIED/403 1406 GET
http://www.americas-pet.store.com/ - NONE/- text/html
1235431547.499 0 192.168.31.12 TCP_DENIED/403 1450 GET
http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/-
text/html
1235431851.235 0 192.168.31.12 TCP_DENIED/403 1406 GET
http://www.americas-pet-store.com/ - NONE/- text/html
1235431851.577 0 192.168.31.12 TCP_DENIED/403 1428 GET
http://www.americas-pet-store.com/favicon.ico - NONE/- text/html
1235432020.747 2 192.168.31.12 TCP_DENIED/403 1406 GET
http://www.americas-pet-store.com/ - NONE/- text/html
1235432022.176 2 192.168.31.12 TCP_DENIED/403 1406 GET
http://www.americas-pet-store.com/ - NONE/- text/html
1235432030.656 4 192.168.31.12 TCP_DENIED/403 1450 GET
http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/-
text/html
1235432036.294 2 192.168.31.12 TCP_DENIED/403 1382 GET
http://www.google.com/ - NONE/- text/html
1235432087.084 2 192.168.31.12 TCP_DENIED/403 1382 GET
http://www.google.com/ - NONE/- text/html
[root_at_VIRT1 ~]#
-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, February 23, 2009 5:53 PM
To: Jim Lawrence
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] New Setup help

> Cisco1720 router --> 4 windows based servers 1 centos virtual server 1
> centos squid server.
> Client computers (8)
>
> Would like to have all web traffic blocked except websites defined in
a
> allowed_sites.squid config file.
> My squid.conf file
>
> Should my squid server have 2 network cards or can I leave it with the
one
> ?

One or two, it does not matter to the problem you currently have.

>
> +++++++
> [root_at_VIRT1 ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
> http_port 192.168.31.3:3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_dir ufs /var/spool/squid 1000 16 256
> access_log /var/log/squid/access.log squid
> dns_nameservers 192.168.31.11
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> acl good_url dstdomain "/etc/squid/allowed_sites.squid"
> acl pnc_network src 192.168.31.0/255.255.255.0
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

> http_access allow good_url

* permits anyone who can contact your squid to connect to any of the
listed sites. Probably don't want that ...

* Or maybe you intended to be a reverse-proxy/accelerator for internal
sites?
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator

To enact your stated "all web traffic blocked except websites defined in
a
allowed_sites.squid config file"

Add here:
http_access deny all

drop the following http_access lines:

> http_access deny pnc_network
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname VIRT1
> coredump_dir /var/spool/squid
> ++++++++
>
>
>
> client's cannot access anything.

Is the content of "/etc/squid/allowed_sites.squid"
correctly formatted for dstdomain?

A list of domain names one per line with the following style:

example.com - matches only example.com domain.

.example.com - matches example.com and ALL *.example.com sub-domains.

Amos
Received on Mon Feb 23 2009 - 23:39:58 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 24 2009 - 12:00:01 MST