RE: [squid-users] New Setup help

> cat /etc/squid/allowed_sites.squid
> *.americas-pet-store.com
> *.petfrenzy.com
> *.google.com
> [root_at_VIRT1 ~]#

There is the problem. the '*' is not a proper part of domain names.
Just begin the partial domains with a '.'

Amos

>
> I did a service squid restart
> And for good measure service squid reload
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Monday, February 23, 2009 8:45 PM
> To: Jim Lawrence
> Cc: Amos Jeffries; squid-users_at_squid-cache.org
> Subject: RE: [squid-users] New Setup help
>
>> Current config
>>
>> http_port 192.168.31.3:3128
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> cache_dir ufs /var/spool/squid 1000 16 256
>> access_log /var/log/squid/access.log squid
>> dns_nameservers 192.168.31.11
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>> acl good_url dstdomain "/etc/squid/allowed_sites.squid"
>> acl pnc_network src 192.168.31.0/255.255.255.0
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow good_url
>> http_access deny all
>> visible_hostname VIRT1
>> coredump_dir /var/spool/squid
>>
>>
>> [root_at_VIRT1 ~]# tail -12 /var/log/squid/access.log
>> 1235431489.584 1 192.168.31.12 TCP_DENIED/403 1420 GET
>> http://mail.google.com/mail/channel/test? - NONE/- text/html
>> 1235431489.599 0 192.168.31.12 TCP_DENIED/403 1434 GET
>> http://mail.google.com/mail/images/cleardot.gif? - NONE/- text/html
>> 1235431513.168 0 192.168.31.12 TCP_DENIED/403 1382 GET
>> http://www.google.com/ - NONE/- text/html
>> 1235431526.782 0 192.168.31.12 TCP_DENIED/403 1406 GET
>> http://www.americas-pet.store.com/ - NONE/- text/html
>> 1235431547.499 0 192.168.31.12 TCP_DENIED/403 1450 GET
>> http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/-
>> text/html
>> 1235431851.235 0 192.168.31.12 TCP_DENIED/403 1406 GET
>> http://www.americas-pet-store.com/ - NONE/- text/html
>> 1235431851.577 0 192.168.31.12 TCP_DENIED/403 1428 GET
>> http://www.americas-pet-store.com/favicon.ico - NONE/- text/html
>> 1235432020.747 2 192.168.31.12 TCP_DENIED/403 1406 GET
>> http://www.americas-pet-store.com/ - NONE/- text/html
>> 1235432022.176 2 192.168.31.12 TCP_DENIED/403 1406 GET
>> http://www.americas-pet-store.com/ - NONE/- text/html
>> 1235432030.656 4 192.168.31.12 TCP_DENIED/403 1450 GET
>> http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/-
>> text/html
>> 1235432036.294 2 192.168.31.12 TCP_DENIED/403 1382 GET
>> http://www.google.com/ - NONE/- text/html
>> 1235432087.084 2 192.168.31.12 TCP_DENIED/403 1382 GET
>> http://www.google.com/ - NONE/- text/html
>> [root_at_VIRT1 ~]#
>
>
> Assuming you remembered to -k reconfigure squid.
> That leaves the question:
> are any of these actually listed in your allowed_sites.squid file?
>
> mail.google.com
> www.google.com
> .google.com
> www.americas-pet-store.com
> .americas-pet-store.com
> .com
> wiki.squid-cache.org
> .squid-cache.org
> .org
>
>
> Amos
>
>> -----Original Message-----
>> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
>> Sent: Monday, February 23, 2009 5:53 PM
>> To: Jim Lawrence
>> Cc: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] New Setup help
>>
>>> Cisco1720 router --> 4 windows based servers 1 centos virtual server
> 1
>>> centos squid server.
>>> Client computers (8)
>>>
>>> Would like to have all web traffic blocked except websites defined in
>> a
>>> allowed_sites.squid config file.
>>> My squid.conf file
>>>
>>> Should my squid server have 2 network cards or can I leave it with
> the
>> one
>>> ?
>>
>> One or two, it does not matter to the problem you currently have.
>>
>>>
>>> +++++++
>>> [root_at_VIRT1 ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
>>> http_port 192.168.31.3:3128
>>> hierarchy_stoplist cgi-bin ?
>>> acl QUERY urlpath_regex cgi-bin \?
>>> cache deny QUERY
>>> acl apache rep_header Server ^Apache
>>> broken_vary_encoding allow apache
>>> cache_dir ufs /var/spool/squid 1000 16 256
>>> access_log /var/log/squid/access.log squid
>>> dns_nameservers 192.168.31.11
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern . 0 20% 4320
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/8
>>> acl SSL_ports port 443
>>> acl CONNECT method CONNECT
>>> acl good_url dstdomain "/etc/squid/allowed_sites.squid"
>>> acl pnc_network src 192.168.31.0/255.255.255.0
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>
>>> http_access allow good_url
>>
>> * permits anyone who can contact your squid to connect to any of the
>> listed sites. Probably don't want that ...
>>
>> * Or maybe you intended to be a reverse-proxy/accelerator for
> internal
>> sites?
>> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
>>
>> To enact your stated "all web traffic blocked except websites defined
> in
>> a
>> allowed_sites.squid config file"
>>
>> Add here:
>> http_access deny all
>>
>> drop the following http_access lines:
>>
>>> http_access deny pnc_network
>>> http_access allow localhost
>>> http_access deny all
>>> http_reply_access allow all
>>> icp_access allow all
>>> visible_hostname VIRT1
>>> coredump_dir /var/spool/squid
>>> ++++++++
>>>
>>>
>>>
>>> client's cannot access anything.
>>
>> Is the content of "/etc/squid/allowed_sites.squid"
>> correctly formatted for dstdomain?
>>
>> A list of domain names one per line with the following style:
>>
>> example.com - matches only example.com domain.
>>
>> .example.com - matches example.com and ALL *.example.com
> sub-domains.
>>
>>
>> Amos
>>
>>
>
>
>
Received on Tue Feb 24 2009 - 02:48:07 MST