Re: [squid-users] ACL blocks http, but not https from Marc Muehlfeld on 2010-10-27 (squid-users)

From: Marc Muehlfeld <Marc.Muehlfeld_at_medizinische-genetik.de>
Date: Wed, 27 Oct 2010 11:24:38 +0200

One more information: I enabled debugging and got the following information:

2010/10/27 11:22:36| The request CONNECT www.facebook.com:443 is ALLOWED,
because it matched 'MyNetworkMR_Clt'

But why it matches 'MyNetworkMR_Clt' and not rule 'blocked_urls'?

Am 26.10.2010 14:12, schrieb Marc Muehlfeld:
> Hello,
>
> I have blocked some URLs through an url_regex acl, which works, if the URL
> contains any protocol execept https.
>
> The "blocked_urls.lst" file contains lines like:
> ([^\/]\.facebook\.com\/|[^\/]\.facebook\.com$|^.*://facebook\.com)+
> I've tested the regex using an online regex tester: "http://www.facebook.com"
> and "https://www.facebook.com" both match. But the https address can be
> reached, so I think, there must be a problem in my configuration (see below).
>
> I use 2.6.STABLE21 on CentOS 5.
>
> Regards,
> Marc
>
>
>
>
>
> # Define networks "all" and "localhost"
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
>
> # Default ports we allow
> acl Safe_ports port 21
> acl Safe_ports port 80
> acl Safe_ports port 443
> acl Safe_ports port 8080
>
> # Deny requests to unknown ports
> http_access deny !Safe_ports
>
> # Only allow cachemgr access from localhost
> acl manager proto cache_object
> http_access allow manager localhost
> http_access deny manager
>
> # Deny CONNECT to other than SSL ports
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl CONNECT method CONNECT
> http_access deny CONNECT !SSL_ports
>
> # Block access from all IPs to URLs out of this file
> acl blocked_urls url_regex "/etc/squid/blocked_urls.lst"
> deny_info ERR_BLOCKED_PRIVATE blocked_urls
> http_access deny all blocked_urls
>
> # Allow access from all of our subnets
> acl MyNetworkMR_Srv src 192.168.29.0/24
> acl MyNetworkMR_Clt src 10.1.0.0/21
> http_access allow MyNetworkMR_Srv
> http_access allow MyNetworkMR_Clt
>
> # Allow access from localhost
> http_access allow localhost
>
> # Finally deny all other access to this proxy
> http_access deny all
>
>

-- 
Marc Muehlfeld (IT-Leiter)
Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost
Lochhamer Str. 29 - D-82152 Martinsried
Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78
http://www.medizinische-genetik.de

Received on Wed Oct 27 2010 - 09:24:44 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 27 2010 - 12:00:05 MDT