On 20/09/2012 10:50 p.m., Jaime Gomez wrote:
> Hi Amos,
> Thanks for your quick response. I try to answer all your questions:
> 1.- Yes, the Chrome requests show up in squid access.log
> 2.- The Required issue: you are right. It was my fault. I didn't check
> the conf file properly.
> 3.- WebUsers group content: people that are not allowed to visit
> certain web pages. For instance: john.doe
"not" allowed? but you use it only in an "allow" context. If it matches
anything the user will be allowed unlimited access. Also note that ident
is a user-supplied detail, meaning knowledgable users are free to set
their own IDENT reponse text.
> SocialNet: web pages like this: .facebook.com, .twitter.com and so on.
> 4.- That is the end of the file. Am I missing something?
There is no "http_access deny all" to clarify that it is the end of the
config. Just checking that you did not have anything else to allow stuff.
Amos
> Thanks in advance,
> Regards,
> Jaime.
>
> >>> El día 20/09/2012 a las 5:39, en el mensaje
> <505A8FED.8070309_at_treenet.co.nz>, Amos Jeffries <squid3_at_treenet.co.nz>
> escribió:
> On 19/09/2012 9:18 p.m., Jaime Gomez wrote:
> > Hi Amos,
> >
> > You are right, I didn't explain myself properly. We use ident to
> identify our users. One user with IE or firefox wants to go to one
> Facebook. He receives a wonderful deny message saying that he is not
> allowed. Same user with Chrome does the same and he is able to access
> to Facebook. After doing some research I found out that this only
> happens if I use https.
>
> Are the Chrome requests showing up in squid access.log?
>
> > Here is the conf file. I've made a little modifications just to show
> the important things:
> >
> > cache_effective_user proxy
> > cache_effective_group proxy
> > visible_hostname x.x.x.x
> > unique_hostname x.x.x.x
> > coredump_dir /data/squid
> >
> > http_port 3128
> > cache_access_log /data/squid/logs/access.log
> > cache_access_log /data/squid/logs/access.log
> > cache_store_log /data/squid/logs/store.log
> > cache_log /data/squid/logs/cache.log
> > pid_filename /data/squid/logs/squid.pid
> > logfile_rotate 2
> > via off
> > forwarded_for off
> >
> > dns_nameservers x.x.x.x
> > positive_dns_ttl 8 hours
> > negative_dns_ttl 30 seconds
> >
> > cache_replacement_policy heap LFUDA
> > cache_swap_low 90
> > cache_swap_high 95
> > maximum_object_size_in_memory 20 KB
> > cache_dir aufs /data/squid/cache 16000 16 256
> > cache_mem 16 MB
> > memory_pools off
> > maximum_object_size 64 MB
> > quick_abort_min 0 KB
> > quick_abort_max 0 KB
> > log_icp_queries off
> > client_db off
> > buffered_logs on
> > half_closed_clients off
> > negative_ttl 0 minutes
> >
> > external_acl_type myIdent children=15 %SRC %IDENT /usr/bin/perl
> /data/squid/scripts/myIdentUsers.pl
> > acl ident_auth external myIdent REQUIRED
>
> "REQUIRED" ? looks like you do not understand what is going on.
>
> 'REQUIRED' is a magic value for proxy_auth ACL type. It has nothing to
> do with any others.
>
> When used on the external ACL, the helper will be passed the three
> strings: client IP address, client provided IDENT label, ... and the
> textual word "REQUIRED".
>
>
> >
> > acl WebUsers ident "/data/squid/groups/WebUsers"
> >
> > acl Socialnet dstdomain "/data/squid/blacklists/socialnet/domains"
>
> and what is this files content?
>
> >
> > http_access deny Socialnet
> >
> > http_access allow WebUsers
>
>
> anything else afterwards?
>
>
> Amos
>
> >
> > Thanks for your help.
> >
> > Regards.
> >
> >>>> Amos Jeffries <squid3_at_treenet.co.nz> 19/09/2012 2:53 >>>
> > On 19/09/2012 1:45 a.m., Jaime Gomez wrote:
> >> Hi all,
> >>
> >> We have a very weird issue. I've been googling but couldn't find
> the answer. We have our Squid (Squid Cache: Version 3.1.18) configured
> in order to do some content filter. For instance: some people can
> access Facebook and other social Webpages while others don't. The
> weird issue is that people with Chrome can skip this acl. With IE and
> Firefox it works. How is this possible?
> > It might be because you configured it to happen. Or that Chrome is
> > simply not using the proxy.
> >
> > Some information about what your configuration actually is would help
> > (details please).
> >
> > Amos
> >
>
Received on Thu Sep 20 2012 - 11:28:02 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 20 2012 - 12:00:04 MDT