Re: [squid-users] acl dstdomains does not block!

Were you testing it with a non-localhost client? The only line i can
see that can affect it is
"http_access allow localhost" .. which means localhost gets access
irrespective of the http_access directives that come after this one.

btw, although this is not related to the problem, you have
"http_access deny all" after "http_access deny blockedlist" ... which
means even if request isnt in blockedlist, yet it will be denied ...
which kind of makes blockedlist acl useless .. probably u didnt intend
that.

-Bharath

2009/4/6 Leslie Jensen <leslie_at_eskk.nu>
>
>
> > Leslie Jensen wrote:
> >> Hello
> >>
> >> My Proxy, Squid-3.0.13 on FreeBSD 7.1-RELEASE-p4, is running fine but I
> can't get the folowing to work.
> >>
> >> # acl blocked_sites dstdomain .aftonbladet.se.
> >> acl blocked_sites dstdomain "/usr/local/etc/squid/dstdomain"
> deny_info ERR_ACCESS_DENIED blocked_sites
> >>
> >> http_access deny blocked_sites
> >>
> >> I've tried both to list the domain in squid.conf and in the file
> "/usr/local/etc/squid/dstdomain"
> >>
> >> None of the options seems to work, no blocking occours. If I put in the
> complete path to the ERR_ACCESS_DENIED, I get an error when I do squid
> -NCd1
> >>
> >> I suspect that maybe the order of the acl's can affect but I need some
> help to diagnose the problem.
> >
> > Yes order is important. Squid processes http_access stop-down and first
> match wins.
> >
> > ERR_ACCESS_DENIED is the default page displayed for "http_access deny".
> you don't have to specify its use.
> >
> > Amos
> > --
>
> Do I dare ask if someone will take a look at my conf file?
>
> I think I'm going blind looking at my rules! I believe I've done it right,
> but obviously I have not. I need the acl dstdomain to work and I can't see
> where I'm wrong.
>
> I'v tried to define only one domain and I've tried with a file with domain
> names, none of them seem to work.
>
> I've also considered the order of my rules but I can't get it to work.
>
> Please help! Thanks
>
> /Leslie
>
>
> ----------------- snip -----------------
> # Squid listens on the loopback and on
> # the internal interface (8080 port)
> #
> # If you run Squid on a dual-homed machine with an internal
> # and an external interface we recommend you to specify the
> # internal address:port in http_port.
> # This way Squid will only be visible on the internal address.
> # transparent to work with PF
> #
> http_port 8080
> # http_port 127.0.0.1:8080 transparent
> # http_port 192.168.0.1:8080 transparent
> #
> # Words defined in this tag when matched in the URLs,
> # directs squid not to query caches.
> # For example dynamic content - php or asp pages.
> #
> hierarchy_stoplist cgi-bin ? php asp
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> #
> # Specify the amount of RAM, to be used for caching the
> # so called: In-Transit objects, Hot Objects,
> # Negative-Cached objects.
> #
> cache_mem 1024 MB
> #
> # If a file size is less than - 1000 MB,
> # squid will place it in cache
> #
> maximum_object_size 1000 MB
> #
> # Define the path to cache directory where all objects
> # which are to be cached are stored:
> # 102400 - is the amount of disk space (MB)
> # to use under /usr/local/squid/cache directory
> # 16 - is the number of first-level subdirectories
> # which will be created under the
> # /usr/local/squid/cache directory
> # 256 - is the number of second-level
> # subdirectories which will be created under
> # each first-level directory
> #
> cache_dir ufs /usr/local/squid/cache 102400 16 256
> #
> # To disable, enter "none". There are not really
> # utilities to analyze this data, so you can safely
> # disable it.
> #
> cache_store_log none
> #
> # Log client request activities to the
> # /usr/local/squid/logs/access.log file
> # using the squid log format
> #
> access_log /usr/local/squid/logs/access.log squid
> #
> logfile_rotate 2
> #
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> #
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> #
> # Define access control lists
> # acl all is defined by default in version 3.0 STABLE
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> #
> # Allow access from your local network.
> # Don't write netmask 192.168.0.0/12 in 3.0STABLE
> #
> # RFC1918 internal network
> #
> acl localnet src 192.168.0.1-192.168.0.254
> #
> # Allow localnet access
> #
> http_access allow localnet
> #
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> # acl Safe_ports port 70 # gopher
> # acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> # acl Safe_ports port 280 # http-mgmt
> # acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> # acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl PURGE method PURGE
> #
> # Allowing or Denying access based on defined access lists
> # Recommended minimum configuration:
> # Only allow cachemgr access from localhost
> #
> http_access allow manager localhost
> http_access deny manager
> #
> # Only allow purge requests from localhost
> #
> http_access allow PURGE localhost
> http_access deny PURGE
> #
> # Deny requests to unknown ports
> #
> http_access deny !Safe_ports
> #
> # Deny CONNECT to other than SSL ports
> #
> http_access deny CONNECT !SSL_ports
> #
> # Allow the localhost to have access by default
> #
> http_access allow localhost
> #
> # If we want to block certain sites.
> #
> # acl blockedsites dstdomain .aftonbladet.se.
> acl blockedsites dstdomain .squid-cache.org
> # acl blockedsites dstdomain "/usr/local/etc/squid/dstdomain"
> #
> # Show message when blocked
> # deny_info ERR_ACCESS_DENIED blocked_sites
> #
> http_access deny blockedsites
> #
> # And deny all other access to this proxy
> #
> http_access deny all
> #
> #
> # Allow ICP queries from local networks only
> #
> icp_access allow localnet
> icp_access deny all
> #
> # Define the hostname that will be shown in
> # error messages etc.
> #
> visible_hostname proxy1.somewhere.com
> #
> # Email-address of local cache manager who will receive
> # mail if the cache dies.
> #
> cache_mgr john.doe_at_somewhere.com
> #
> # Speed up the writing of some log files
> #
> buffered_logs on
> #
> coredump_dir /usr/local/squid/cache
> #
>
> ----------------- snip -----------------
>
>
>
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
Received on Mon Apr 06 2009 - 14:41:10 MDT