Leslie Jensen wrote:
>
>
>
>> 2009/4/6 Leslie Jensen <leslie_at_eskk.nu>
>>>
>>>> Leslie Jensen wrote:
>>>>> Hello
>>>>>
>>>>> My Proxy, Squid-3.0.13 on FreeBSD 7.1-RELEASE-p4, is running fine
>>>>> but I
>>> can't get the folowing to work.
>>>>> # acl blocked_sites dstdomain .aftonbladet.se.
>>>>> acl blocked_sites dstdomain "/usr/local/etc/squid/dstdomain"
>>> deny_info ERR_ACCESS_DENIED blocked_sites
>>>>> http_access deny blocked_sites
>>>>>
>>>>> I've tried both to list the domain in squid.conf and in the file
>>> "/usr/local/etc/squid/dstdomain"
>>>>> None of the options seems to work, no blocking occours. If I put in
>>>>> the
>>> complete path to the ERR_ACCESS_DENIED, I get an error when I do squid
>>> -NCd1
>>>>> I suspect that maybe the order of the acl's can affect but I need some
>>> help to diagnose the problem.
>>>> Yes order is important. Squid processes http_access stop-down and first
>>> match wins.
>>>> ERR_ACCESS_DENIED is the default page displayed for "http_access deny".
>>> you don't have to specify its use.
>>>> Amos
>>>> --
>>> Do I dare ask if someone will take a look at my conf file?
>>>
>>> I think I'm going blind looking at my rules! I believe I've done it
>>> right,
>>> but obviously I have not. I need the acl dstdomain to work and I
>>> can't see
>>> where I'm wrong.
>>>
>>> I'v tried to define only one domain and I've tried with a file with
>>> domain
>>> names, none of them seem to work.
>>>
>>> I've also considered the order of my rules but I can't get it to work.
>>>
>>> Please help! Thanks
>>>
>>> /Leslie
>>>
>>>
>>> ----------------- snip -----------------
>
>>>
>>> ----------------- snip -----------------
>>>
>
> Bharath Raghavendran skrev:
> > Were you testing it with a non-localhost client? The only line i can
> > see that can affect it is
> > "http_access allow localhost" .. which means localhost gets access
> > irrespective of the http_access directives that come after this one.
> >
> > btw, although this is not related to the problem, you have
> > "http_access deny all" after "http_access deny blockedlist" ... which
> > means even if request isnt in blockedlist, yet it will be denied ...
> > which kind of makes blockedlist acl useless .. probably u didnt intend
> > that.
> >
> > -Bharath
> >
>
>
> I'm testing with a host on localnet.
>
> No, you are right I did not intend that. How do you suggest I go about
> configuring so that the localnet is affected by the acl blockedlist?
>
> /Leslie
Um, the config you showed simplifies down to:
allow localhost access anywhere.
deny anything else. Period.
I think you want:
#
# If we want to block certain sites.
#
# acl blockedsites dstdomain .aftonbladet.se.
acl blockedsites dstdomain .squid-cache.org
# acl blockedsites dstdomain "/usr/local/etc/squid/dstdomain"
#
# Show message when blocked
# deny_info ERR_ACCESS_DENIED blocked_sites
#
http_access deny blockedsites
# allow local network to other sites.
http_access allow localhost
http_access allow localnet
#
# And deny all other access to this proxy
#
http_access deny all
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Tue Apr 07 2009 - 07:30:55 MDT
This archive was generated by hypermail 2.2.0 : Sun Apr 12 2009 - 12:00:03 MDT