Re: [squid-users] ACL configuration

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 20 Apr 2010 02:01:00 +1200

Никоноров Григорий wrote:
> Hello, Amos
>
> I install the latest version of squid3 from backports (unfortunately
> i cant find my problem in squid3 bugs ...)
> dpkg --list |grep squid3
> ii squid3 3.0.STABLE19-1~bpo50+1 A full featured Web Proxy cache (HTTP proxy)
> ii squid3-common 3.0.STABLE19-1~bpo50+1 A full featured Web Proxy cache (HTTP proxy) - common files
>
> I also delete two lines about QUERY...
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> ...and modified my refresh_patters accordingly your advice
> refresh_pattern \.doc$ 0 20% 4320
> refresh_pattern \.zip$ 0 20% 4320
> refresh_pattern \.exe$ 0 20% 4320
> refresh_pattern \.rar$ 0 20% 4320
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> I upload my squid.conf for "easy to read" purpose in pastebay.com
> http://pastebay.com/94291 (no virus guys...only my squid.conf :)
>
> p.s. regex replacement on dstdomain not helped
>
> You wrote 19 апреля 2010 г., 13:47:21:
>> Никоноров Григорий wrote:
>>> Hi,
>>>
>>> After the upgrade from 2.7 to 3.0.STABLE8-3 + lenny3 squid stop block
>>> prohibited sites.
>
>> IMO grab the official backport package from
>> http://www.backports.org/debian/pool/main/s/squid3/ if you can.
>
>>> My Squid3 conf:
>>> acl ADMIN proxy_auth "/etc/squid3/users/users.admin"
>>> acl bad_site url_regex -i "/etc/squid3/bad_site.acl"
>>>
>>> bad_site.acl:
>>> vkontakte\.ru
>>> odnoklassniki\.ru
>>> pagewash\.com
>>> vk\.com
>
>> Hmm. Regardless of your squid version those are far better off being
>> configured as a "dstdomain" ACL type. Regex is Slooooowww.
>
>> acl bad_site dstdomain "/etc/squid3/bad_site.acl"
>
>> bad_site.acl:
>> .vkontakte.ru
>> .odnoklassniki.ru
>> .pagewash.com
>> .vk.com
>
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access allow ADMIN !bad_site
>>> acl QUERY urlpath_regex cgi-bin \?
>>> no_cache deny QUERY
>
>> The above two lines about QUERY are no longer very useful.
>
>> Remove them and make sure your *final* two refresh_patterns lines match
>> the new defaults for squid-3.x:
>
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>
>
>>> http_access deny all
>>>
>>>
>>> 192.168.164.111 - user from group ADMIN
>>>
>>> Access log:
>>> 1271418317.455 103 192.168.164.111 TCP_MISS/302 494 GET http://vkontakte.ru/id000000 user DIRECT/93.186.231.220 text/html
>>> 1271418317.536 71 192.168.164.111 TCP_MISS/200 3767 GET http://vkontakte.ru/login.php? user DIRECT/93.186.231.220 text/html
>>> 1271418317.665 5 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/xhead2.gif user DIRECT/93.186.231.220 -
>>> 1271418317.669 9 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/header_yellow.gif user DIRECT/93.186.231.222 -
>>> 1271418317.674 15 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/header_divider.gif user DIRECT/93.186.231.221 -
>>> 1271418317.690 35 192.168.164.111 TCP_MISS/304 483 GET http://www.tns-counter.ru/V13a***R>*vkontakte_ru/ru/CP1251/tmsec=vkontakte_total/ user DIRECT/217.73.200.219 -
>>> 1271418317.714 55 192.168.164.111 TCP_MISS/200 386 GET http://counter.yadro.ru/hit? user DIRECT/88.212.196.77 image/gif
>>> 1271418321.434 82 192.168.164.111 TCP_MISS/200 5360 GET http://vk.com/ user DIRECT/93.186.231.221 text/html
>>> 1271418321.476 124 192.168.164.111 TCP_MISS/200 719 GET http://sitecheck2.opera.com/? user DIRECT/91.203.99.45 text/xml
>>> 1271418322.588 34 192.168.164.111 TCP_MISS/304 483 GET http://www.tns-counter.ru/V13a***R>*vkontakte_ru/ru/CP1251/tmsec=vkontakte_total/ user DIRECT/217.73.200.220 -
>>> 1271418322.608 54 192.168.164.111 TCP_MISS/200 386 GET http://counter.yadro.ru/hit? user DIRECT/88.212.196.101 image/gif
>>> 1271418324.221 1670 192.168.164.111 TCP_MISS/200 6368 CONNECT certs.opera.com:443 user DIRECT/91.203.99.57 -
>>> 1271418324.358 69 192.168.164.111 TCP_MISS/200 738 GET http://login.vk.com/? user DIRECT/93.186.229.129 text/html
>>> 1271418324.433 56 192.168.164.111 TCP_MISS/200 617 POST http://vk.com/login.php? user DIRECT/93.186.231.222 text/html
>>>
>
>
>> I can't see any reason why those requests might go through. Is there any
>> additional http_access configuration anywhere?
>
>> If not, try with the backports package and see if it goes away.
>
>> Amos
>

Wading through that config I find the very first http_access:

  acl ncsa_users proxy_auth REQUIRED
  http_access allow ncsa_users

... any user with a valid login has unlimited access through your server.

  The http_access rules following that line apply only to non-logged in
users.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1
Received on Mon Apr 19 2010 - 14:01:09 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 20 2010 - 12:00:05 MDT