Re: [squid-users] Block HTTPS website

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 21 May 2011 01:06:51 +1200

On 20/05/11 21:54, Malvin Rito wrote:
> Here is my config:
>

Okay, should have worked where you placed it.

What you need to do is add ".facebook.com" on a line in
/etc/squid/restricted-sites.acl
That will block facebook.com access for both HTTP and HTTPS with your
config. The "." at the start of the value is important.

Also, check that there is no ".com" or ".facebook.com" entry in
/etc/squid/whitelist.acl

NOTE: Blocking HTTPS only works if the browser is passing HTTPS through
Squid. If the browser is going directly to port 443 on its own, Squid
cannot help.

The config as a whole has a lot of speed problems. The rest of this mail
is some extra hints about changes that will speed up the proxy ...

<snip>
> #Allow certain Host on denied site
> acl NO_RESTRICTIONS src 172.16.9.52
> acl NO_RESTRICTIONS src 172.16.9.121
> acl NO_RESTRICTIONS src 172.16.9.199
> acl NO_RESTRICTIONS src 172.16.9.106
> acl NO_RESTRICTIONS src 172.16.9.122
> acl NO_RESTRICTIONS src 172.16.9.100
> acl NO_RESTRICTIONS src 172.16.9.244
> acl NO_RESTRICTIONS src 172.16.9.241
> acl NO_RESTRICTIONS src 172.16.9.239
> acl NO_RESTRICTIONS src 172.16.9.19 # IP Address assigned to
>
> # unblock some sites during launch time
> acl LUNCHTIME time MTWHFSA 12:01-13:00
> acl OFFICEHOUR1 time MTWHFSA 13:01-23:59
> acl OFFICEHOUR2 time MTWHFSA 00:01-12:00
>
> no_cache deny all

"no_cache" is obsolete.
If you want to not cache, change it to "cache deny all".

If you want Squid to optimize speed a bit by caching some items for fast
re-use remove the line.

> acl whitelist dstdomain "/etc/squid/whitelist.acl"
>
<snip>
> #Block Restricted Websites by Domain Name
> acl BadSites dstdomain "/etc/squid/restricted-sites.acl"
> deny_info ERR_BLOCKED_SITES BadSites
<snip>
>
> #Block Restricted Websites by IP Address
> acl BadSitesIP dstdomain "/etc/squid/restricted-IPaddress.acl"
> deny_info ERR_BLOCKED_SITES BadSitesIP

You can drop the "BadSitesIP" ACL entirely.

Add this instead:
   acl BadSites dstdomain "/etc/squid/restricted-IPaddress.acl"

NP: there are also http_access changes which need to happen with that
name change.

<snip>
> http_access allow whitelist

I assume "NO_RESTRICTIONS" means you want those hosts not to be restricted.

To do that you want to put this line here:
   http_access allow NO_RESTRICTIONS

..' then you can remove it from all the later http_access lines:

> http_access deny blockfiles !NO_RESTRICTIONS
> http_access deny BadSites OFFICEHOUR1 !NO_RESTRICTIONS
> http_access deny BadSites OFFICEHOUR2 !NO_RESTRICTIONS
> #http_access deny restricted_HTTPS_sites OFFICEHOUR1
> #http_access deny restricted_HTTPS_sites OFFICEHOUR2
> http_access allow BadSites LUNCHTIME !NO_RESTRICTIONS
> http_access deny BadSitesIP !NO_RESTRICTIONS
> http_access deny BlockSite_ByKeyword !NO_RESTRICTIONS
>
<snip>

Those few dozen "Team" http_access lines can be combined into one single
ACL. Like this:

  #Joy Team
  acl RestrictedHost src 172.16.9.82 # jcpinto
  acl RestrictedHost src 172.16.9.86 # _mmvillar
  acl RestrictedHost src 172.16.9.116 # _djcarino

  #nINETH Team
  acl RestrictedHost src 172.16.9.85 # _ebinay

  #Thes Team
  #acl RestrictedHost src 172.16.9.90 # _aaquino
  acl RestrictedHost src 172.16.9.91 # _rbasa
  acl RestrictedHost src 172.16.9.81 # _jbadong
  acl RestrictedHost src 172.16.9.104 # _dbalino
  #acl RestrictedHost src 172.16.9.115 # _rfrancisco

  #Richard A. Team
  #acl RestrictedHost src 172.16.9.101 # _raraw
  acl RestrictedHost src 172.16.9.35 # _lmusni
  acl RestrictedHost src 172.16.9.100 # _mmendoza

  #Jhun Team
  acl RestrictedHost src 172.16.9.119 # _jcruzado
  acl RestrictedHost src 172.16.9.109 # _glustre
  acl RestrictedHost src 172.16.9.111 # _jrmaganis
  acl RestrictedHost src 172.16.9.252 # _earellano
  acl RestrictedHost src 172.16.9.80 # _jmprimicias

  #Ranel Team
  acl RestrictedHost src 172.16.9.114 # _jbautista
  acl RestrictedHost src 172.16.9.117 # _jlmallari
  acl RestrictedHost src 172.16.9.118 # _dcuna

  #Marge Team
  acl RestrictedHost src 172.16.9.92 # _vescolano
  #acl RestrictedHost src 172.16.9.87 # _eselda

  http_access deny RestrictedHost

Taddah! about 15 times faster.

<snip>
> # --------END OF ALT CLADDING, INC. ACL
> DEFINITION-------------------------------------------
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> #
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

Hmm, you can drop the "localnet" ACL completely.
You defined it already with your own name of "lan".

> #
> acl TOR_PORT1 port 9001
> acl TOR_PORT2 port 9030
> acl TOR_PORT3 port 9051
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports

Instead of making new ACL and checking them separately you can just
alter the Safe_ports to exclude TOR.

Remove:
   acl Safe_ports port 1025-65535 # unregistered ports

Add:
  acl Safe_ports port 1025-9000
  acl Safe_ports port 9002-9029
  acl Safe_ports port 9031-9050
  acl Safe_ports port 9052-65535

Now you can also remove the TOR_PORT* http_access lines later on.

> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # TAG: http_access
> # Allowing or Denying access based on defined access lists
> #
> # Access to the HTTP port:
> # http_access allow|deny [!]aclname ...
> #
> # NOTE on default values:
> #
> # If there are no "access" lines present, the default is to deny
> # the request.
> #
> # If none of the "access" lines cause a match, the default is the
> # opposite of the last line in the list. If the last line was
> # deny, the default is allow. Conversely, if the last line
> # is allow, the default will be deny. For these reasons, it is a
> # good idea to have an "deny all" or "allow all" entry at the end
> # of your access lists to avoid potential confusion.
> #
> #Default:
> # http_access deny all
> #
> #Recommended minimum configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny TOR_PORT1
> http_access deny TOR_PORT2
> http_access deny TOR_PORT3
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> #
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>

Hmm, this is where the whole section earlier called "ALT CLADDING, INC.
ACL DEFINITION" is supposed to be. Right after the security checks that
the host is behaving itself (safe SSL and port usage).

> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet

"localnet" can be erased since you are calling it "lan" instead.

>
> # And finally deny all other access to this proxy
>
> # -----------------------------
> # DEFINED FOR ALT CLADDING
> http_access allow localhost
> http_access allow lan
> # -----------------------------
>
>
> http_access deny all
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Fri May 20 2011 - 13:06:58 MDT

This archive was generated by hypermail 2.2.0 : Mon May 23 2011 - 12:00:02 MDT