Re: [squid-users] New Admin

> From: Amos Jeffries <squid3_at_treenet.co.nz>
> Date: Fri, 09 Oct 2009 18:38:07 +1300
> Cc: <squid-users_at_squid-cache.org>
> Subject: Re: [squid-users] New Admin
>
> Ross Kovelman wrote:
>> 1) Thanks!
>>
>> 2)Here is my ACL and http access lines:
>> acl bad_url dstdomain "/xxx/Squid/etc/bad-sites.squid"
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl our_networks src 192.168.16.0/255.255.255.0
>> acl to_localhost dst 127.0.0.0/8
>> acl workdays time MTWHF 8:30-12:00
>> acl workdays time MTWHF 13:30-18:00
>> acl SSL_ports port 443 563
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> # Restrict cachemgr access
>> http_access allow manager localhost
>> http_access deny manager
>> # Block access to banned URLs
>> http_access deny bad_url workdays
>> # Allow users access on workdays
>> http_access allow our_networks workdays
>
> The above will not permit network access outside the specific times you
> specified in "workdays".
>
> Meaning network access is denied 12pm to 1.30pm and 6pm to 8am.
>
>> #http_access allow out_networks
>> # Deny everything else
>> http_access deny all
>> #
>> #
>> #Recommended minimum configuration:
>
> Thee following lines are recommended since they ensure safe usage of the
> dangerous features Squid provides. They really should be at teh top of
> the config.
> As it stands any of the workers can open a CONNECT tunnel and give
> themselves unlimited access to the Internet.
>
>> #
>> # Only allow cachemgr access from localhost
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny bad_url
>> # Deny requests to unknown ports
>> http_access deny !Safe_ports
>> # Deny CONNECT to other than SSL ports
>> http_access deny CONNECT !SSL_ports
>>
>> 4) All I know is going through the squid as a proxy server disables the
>> login prompt. If I just access it with out proxy then I get an
>> authentication box.
>
> Sounds like something doing NTLM/Negotiate challenge authentication.
> This is generally broken going through proxies.
>
> You will need to look deeper into what is going on. The access.log and
> cache.log should have more detail.
>
>>
>> 5) Again can you explain this to me for me to get pages blocked to work:
>>>>> Yes. Create an ACL for normal login. Adding it to the end of the line
>>>>> For example:
>>>>> ... login setup
>>>>> acl loginACL proxy_auth REQUIRED
>>>>> http_access deny our_networks bad_url workdays !loginACL
>>
>> 6) Will look into WCCP and BSD...thanks
>>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
> Current Beta Squid 3.1.0.14

1) You say that config will not work, which I understand, but then how can I
get it to work so that the times you listed 12pm to 1.30pm and 6pm to 8am
will allow all traffic. All other times inbetween is locked down?

2) I tried to move the http_access rules up top but when starting squid I
get errors as it does not know what manager is etc.

3)This is the access log:
1255094675.752 21 192.168.16.93 TCP_MISS/401 1938 GET
http://xxxx.xxxxx.com/xxxx/WestRegion/default.aspx - DIRECT/255.232.133.202
text/html
Cache log shows this:
2009/10/09 09:26:54| DNS Socket created at 0.0.0.0, port 49200, FD 10
2009/10/09 09:26:54| Adding nameserver 71.250.0.12 from squid.conf
2009/10/09 09:26:54| Adding nameserver 68.237.161.12 from squid.conf
2009/10/09 09:26:54| helperOpenServers: Starting 1 'squid_redirect'
processes
2009/10/09 09:26:55| Accepting HTTP connections at 0.0.0.0, port 3128, FD
12.
2009/10/09 09:26:55| Accepting ICP messages at 0.0.0.0, port 3130, FD 15.
2009/10/09 09:26:55| WCCP Disabled.
2009/10/09 09:26:55| Loaded Icons.
2009/10/09 09:26:55| eventCleanup
2009/10/09 09:26:55| Ready to serve requests.
Very limited in what it is telling me, or is this the line:
TCP_MISS/401

Thanks