Re: [squid-users] ACL configuration

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 19 Apr 2010 21:47:21 +1200

Никоноров Григорий wrote:
> Hi,
>
> After the upgrade from 2.7 to 3.0.STABLE8-3 + lenny3 squid stop block
> prohibited sites.

IMO grab the official backport package from
http://www.backports.org/debian/pool/main/s/squid3/ if you can.

>
> My Squid3 conf:
> acl ADMIN proxy_auth "/etc/squid3/users/users.admin"
> acl bad_site url_regex -i "/etc/squid3/bad_site.acl"
>
> bad_site.acl:
> vkontakte\.ru
> odnoklassniki\.ru
> pagewash\.com
> vk\.com

Hmm. Regardless of your squid version those are far better off being
configured as a "dstdomain" ACL type. Regex is Slooooowww.

   acl bad_site dstdomain "/etc/squid3/bad_site.acl"

  bad_site.acl:
   .vkontakte.ru
   .odnoklassniki.ru
   .pagewash.com
   .vk.com

>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow ADMIN !bad_site
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

The above two lines about QUERY are no longer very useful.

Remove them and make sure your *final* two refresh_patterns lines match
the new defaults for squid-3.x:

   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
   refresh_pattern . 0 20% 4320

> http_access deny all
>
>
> 192.168.164.111 - user from group ADMIN
>
> Access log:
> 1271418317.455 103 192.168.164.111 TCP_MISS/302 494 GET http://vkontakte.ru/id000000 user DIRECT/93.186.231.220 text/html
> 1271418317.536 71 192.168.164.111 TCP_MISS/200 3767 GET http://vkontakte.ru/login.php? user DIRECT/93.186.231.220 text/html
> 1271418317.665 5 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/xhead2.gif user DIRECT/93.186.231.220 -
> 1271418317.669 9 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/header_yellow.gif user DIRECT/93.186.231.222 -
> 1271418317.674 15 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/header_divider.gif user DIRECT/93.186.231.221 -
> 1271418317.690 35 192.168.164.111 TCP_MISS/304 483 GET http://www.tns-counter.ru/V13a***R>*vkontakte_ru/ru/CP1251/tmsec=vkontakte_total/ user DIRECT/217.73.200.219 -
> 1271418317.714 55 192.168.164.111 TCP_MISS/200 386 GET http://counter.yadro.ru/hit? user DIRECT/88.212.196.77 image/gif
> 1271418321.434 82 192.168.164.111 TCP_MISS/200 5360 GET http://vk.com/ user DIRECT/93.186.231.221 text/html
> 1271418321.476 124 192.168.164.111 TCP_MISS/200 719 GET http://sitecheck2.opera.com/? user DIRECT/91.203.99.45 text/xml
> 1271418322.588 34 192.168.164.111 TCP_MISS/304 483 GET http://www.tns-counter.ru/V13a***R>*vkontakte_ru/ru/CP1251/tmsec=vkontakte_total/ user DIRECT/217.73.200.220 -
> 1271418322.608 54 192.168.164.111 TCP_MISS/200 386 GET http://counter.yadro.ru/hit? user DIRECT/88.212.196.101 image/gif
> 1271418324.221 1670 192.168.164.111 TCP_MISS/200 6368 CONNECT certs.opera.com:443 user DIRECT/91.203.99.57 -
> 1271418324.358 69 192.168.164.111 TCP_MISS/200 738 GET http://login.vk.com/? user DIRECT/93.186.229.129 text/html
> 1271418324.433 56 192.168.164.111 TCP_MISS/200 617 POST http://vk.com/login.php? user DIRECT/93.186.231.222 text/html
>

I can't see any reason why those requests might go through. Is there any
additional http_access configuration anywhere?

If not, try with the backports package and see if it goes away.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Received on Mon Apr 19 2010 - 09:47:30 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 19 2010 - 12:00:05 MDT