Re: [squid-users] New Admin

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 10 Oct 2009 11:44:29 +1300

Ross Kovelman wrote:
>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>> Date: Fri, 09 Oct 2009 18:38:07 +1300
>> Cc: <squid-users_at_squid-cache.org>
>> Subject: Re: [squid-users] New Admin
>>
>> Ross Kovelman wrote:
>>> 1) Thanks!
>>>
>>> 2)Here is my ACL and http access lines:
>>> acl bad_url dstdomain "/xxx/Squid/etc/bad-sites.squid"
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl our_networks src 192.168.16.0/255.255.255.0
>>> acl to_localhost dst 127.0.0.0/8
>>> acl workdays time MTWHF 8:30-12:00
>>> acl workdays time MTWHF 13:30-18:00
>>> acl SSL_ports port 443 563
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 563 # https, snews
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> # Restrict cachemgr access
>>> http_access allow manager localhost
>>> http_access deny manager
>>> # Block access to banned URLs
>>> http_access deny bad_url workdays
>>> # Allow users access on workdays
>>> http_access allow our_networks workdays
>> The above will not permit network access outside the specific times you
>> specified in "workdays".
>>
>> Meaning network access is denied 12pm to 1.30pm and 6pm to 8am.
>>
>>> #http_access allow out_networks
>>> # Deny everything else
>>> http_access deny all
>>> #
>>> #
>>> #Recommended minimum configuration:
>> Thee following lines are recommended since they ensure safe usage of the
>> dangerous features Squid provides. They really should be at teh top of
>> the config.
>> As it stands any of the workers can open a CONNECT tunnel and give
>> themselves unlimited access to the Internet.
>>
>>> #
>>> # Only allow cachemgr access from localhost
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny bad_url
>>> # Deny requests to unknown ports
>>> http_access deny !Safe_ports
>>> # Deny CONNECT to other than SSL ports
>>> http_access deny CONNECT !SSL_ports
>>>
>>> 4) All I know is going through the squid as a proxy server disables the
>>> login prompt. If I just access it with out proxy then I get an
>>> authentication box.
>> Sounds like something doing NTLM/Negotiate challenge authentication.
>> This is generally broken going through proxies.
>>
>> You will need to look deeper into what is going on. The access.log and
>> cache.log should have more detail.
>>
>>> 5) Again can you explain this to me for me to get pages blocked to work:
>>>>>> Yes. Create an ACL for normal login. Adding it to the end of the line
>>>>>> For example:
>>>>>> ... login setup
>>>>>> acl loginACL proxy_auth REQUIRED
>>>>>> http_access deny our_networks bad_url workdays !loginACL
>>> 6) Will look into WCCP and BSD...thanks
>>>
>> Amos

> 1) You say that config will not work, which I understand, but then how can I
> get it to work so that the times you listed 12pm to 1.30pm and 6pm to 8am
> will allow all traffic. All other times inbetween is locked down?

You asked earlier about how to allow access ONLY during those times.

Henrik gave you the answer which was to add "http_access allow
our_networks workdays" and you are still using the rule.

Now you are asking why it does exactly what you asked for.

Please read
http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes and when
you understand how to use ACL you should be able to resolve the issue
yourself.

>
> 2) I tried to move the http_access rules up top but when starting squid I
> get errors as it does not know what manager is etc.
>

I meant at the top of the http_access section of config sorry.
The http_access still need to be below the acl definitions.

> 3)This is the access log:
> 1255094675.752 21 192.168.16.93 TCP_MISS/401 1938 GET
> http://xxxx.xxxxx.com/xxxx/WestRegion/default.aspx - DIRECT/255.232.133.202
> text/html
> Cache log shows this:
> 2009/10/09 09:26:54| DNS Socket created at 0.0.0.0, port 49200, FD 10
> 2009/10/09 09:26:54| Adding nameserver 71.250.0.12 from squid.conf
> 2009/10/09 09:26:54| Adding nameserver 68.237.161.12 from squid.conf
> 2009/10/09 09:26:54| helperOpenServers: Starting 1 'squid_redirect'
> processes
> 2009/10/09 09:26:55| Accepting HTTP connections at 0.0.0.0, port 3128, FD
> 12.
> 2009/10/09 09:26:55| Accepting ICP messages at 0.0.0.0, port 3130, FD 15.
> 2009/10/09 09:26:55| WCCP Disabled.
> 2009/10/09 09:26:55| Loaded Icons.
> 2009/10/09 09:26:55| eventCleanup
> 2009/10/09 09:26:55| Ready to serve requests.
> Very limited in what it is telling me, or is this the line:
> TCP_MISS/401
>
> Thanks
>
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.14
Received on Fri Oct 09 2009 - 22:44:36 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 10 2009 - 12:00:02 MDT