Re: [squid-users] acl dstdomains does not block!

From: Pandu E Poluan <pandu_poluan_at_paninsekuritas.co.id>
Date: Mon, 06 Apr 2009 22:17:00 +0700

Or, alternatively, place "http_access allow localhost" *AFTER*
"http_access deny blockedlist"

That should do the trick, methinks.

Rgds.

[p]

Bharath Raghavendran wrote:
> Were you testing it with a non-localhost client? The only line i can
> see that can affect it is
> "http_access allow localhost" .. which means localhost gets access
> irrespective of the http_access directives that come after this one.
>
> btw, although this is not related to the problem, you have
> "http_access deny all" after "http_access deny blockedlist" ... which
> means even if request isnt in blockedlist, yet it will be denied ...
> which kind of makes blockedlist acl useless .. probably u didnt intend
> that.
>
> -Bharath
>
> 2009/4/6 Leslie Jensen <leslie_at_eskk.nu>
>
>>
>>> Leslie Jensen wrote:
>>>
>>>> Hello
>>>>
>>>> My Proxy, Squid-3.0.13 on FreeBSD 7.1-RELEASE-p4, is running fine but I
>>>>
>> can't get the folowing to work.
>>
>>>> # acl blocked_sites dstdomain .aftonbladet.se.
>>>> acl blocked_sites dstdomain "/usr/local/etc/squid/dstdomain"
>>>>
>> deny_info ERR_ACCESS_DENIED blocked_sites
>>
>>>> http_access deny blocked_sites
>>>>
>>>> I've tried both to list the domain in squid.conf and in the file
>>>>
>> "/usr/local/etc/squid/dstdomain"
>>
>>>> None of the options seems to work, no blocking occours. If I put in the
>>>>
>> complete path to the ERR_ACCESS_DENIED, I get an error when I do squid
>> -NCd1
>>
>>>> I suspect that maybe the order of the acl's can affect but I need some
>>>>
>> help to diagnose the problem.
>>
>>> Yes order is important. Squid processes http_access stop-down and first
>>>
>> match wins.
>>
>>> ERR_ACCESS_DENIED is the default page displayed for "http_access deny".
>>>
>> you don't have to specify its use.
>>
>>> Amos
>>> --
>>>
>> Do I dare ask if someone will take a look at my conf file?
>>
>> I think I'm going blind looking at my rules! I believe I've done it right,
>> but obviously I have not. I need the acl dstdomain to work and I can't see
>> where I'm wrong.
>>
>> I'v tried to define only one domain and I've tried with a file with domain
>> names, none of them seem to work.
>>
>> I've also considered the order of my rules but I can't get it to work.
>>
>> Please help! Thanks
>>
>> /Leslie
>>
>>
>> ----------------- snip -----------------
>> # Squid listens on the loopback and on
>> # the internal interface (8080 port)
>> #
>> # If you run Squid on a dual-homed machine with an internal
>> # and an external interface we recommend you to specify the
>> # internal address:port in http_port.
>> # This way Squid will only be visible on the internal address.
>> # transparent to work with PF
>> #
>> http_port 8080
>> # http_port 127.0.0.1:8080 transparent
>> # http_port 192.168.0.1:8080 transparent
>> #
>> # Words defined in this tag when matched in the URLs,
>> # directs squid not to query caches.
>> # For example dynamic content - php or asp pages.
>> #
>> hierarchy_stoplist cgi-bin ? php asp
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>> #
>> # Specify the amount of RAM, to be used for caching the
>> # so called: In-Transit objects, Hot Objects,
>> # Negative-Cached objects.
>> #
>> cache_mem 1024 MB
>> #
>> # If a file size is less than - 1000 MB,
>> # squid will place it in cache
>> #
>> maximum_object_size 1000 MB
>> #
>> # Define the path to cache directory where all objects
>> # which are to be cached are stored:
>> # 102400 - is the amount of disk space (MB)
>> # to use under /usr/local/squid/cache directory
>> # 16 - is the number of first-level subdirectories
>> # which will be created under the
>> # /usr/local/squid/cache directory
>> # 256 - is the number of second-level
>> # subdirectories which will be created under
>> # each first-level directory
>> #
>> cache_dir ufs /usr/local/squid/cache 102400 16 256
>> #
>> # To disable, enter "none". There are not really
>> # utilities to analyze this data, so you can safely
>> # disable it.
>> #
>> cache_store_log none
>> #
>> # Log client request activities to the
>> # /usr/local/squid/logs/access.log file
>> # using the squid log format
>> #
>> access_log /usr/local/squid/logs/access.log squid
>> #
>> logfile_rotate 2
>> #
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> #
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern (cgi-bin|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>> #
>> # Define access control lists
>> # acl all is defined by default in version 3.0 STABLE
>> #
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>> #
>> # Allow access from your local network.
>> # Don't write netmask 192.168.0.0/12 in 3.0STABLE
>> #
>> # RFC1918 internal network
>> #
>> acl localnet src 192.168.0.1-192.168.0.254
>> #
>> # Allow localnet access
>> #
>> http_access allow localnet
>> #
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> # acl Safe_ports port 70 # gopher
>> # acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> # acl Safe_ports port 280 # http-mgmt
>> # acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> # acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> acl PURGE method PURGE
>> #
>> # Allowing or Denying access based on defined access lists
>> # Recommended minimum configuration:
>> # Only allow cachemgr access from localhost
>> #
>> http_access allow manager localhost
>> http_access deny manager
>> #
>> # Only allow purge requests from localhost
>> #
>> http_access allow PURGE localhost
>> http_access deny PURGE
>> #
>> # Deny requests to unknown ports
>> #
>> http_access deny !Safe_ports
>> #
>> # Deny CONNECT to other than SSL ports
>> #
>> http_access deny CONNECT !SSL_ports
>> #
>> # Allow the localhost to have access by default
>> #
>> http_access allow localhost
>> #
>> # If we want to block certain sites.
>> #
>> # acl blockedsites dstdomain .aftonbladet.se.
>> acl blockedsites dstdomain .squid-cache.org
>> # acl blockedsites dstdomain "/usr/local/etc/squid/dstdomain"
>> #
>> # Show message when blocked
>> # deny_info ERR_ACCESS_DENIED blocked_sites
>> #
>> http_access deny blockedsites
>> #
>> # And deny all other access to this proxy
>> #
>> http_access deny all
>> #
>> #
>> # Allow ICP queries from local networks only
>> #
>> icp_access allow localnet
>> icp_access deny all
>> #
>> # Define the hostname that will be shown in
>> # error messages etc.
>> #
>> visible_hostname proxy1.somewhere.com
>> #
>> # Email-address of local cache manager who will receive
>> # mail if the cache dies.
>> #
>> cache_mgr john.doe_at_somewhere.com
>> #
>> # Speed up the writing of some log files
>> #
>> buffered_logs on
>> #
>> coredump_dir /usr/local/squid/cache
>> #
>>
>> ----------------- snip -----------------
>>
>>
>>
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>
>

-- 
*Pandu E Poluan*
*Panin Sekuritas*
IT Manager / Operations & Audit
Phone : 	+62-21-515-3055 ext 135
Fax : 	+62-21-515-3061
Mobile : 	+62-856-8400-426
e-mail : 	pandu_poluan_at_paninsekuritas.co.id 
<mailto:pandu_poluan_at_paninsekuritas.co.id>
	
	
	
	
Y!M : 	hands0me_irc
MSN : 	si-ganteng_at_live.com
GTalk : 	pandu.cakep_at_gmail.com
Received on Mon Apr 06 2009 - 15:17:40 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 06 2009 - 12:00:02 MDT