> Shelton, may be the tag
> http_access allow our_network
> should go after and not before (or may be you don't need it at all)
> http_access denied custom_denied_domains dst
> "etc/squid/denied_domains.acl"
>
>
> hope to be helpful.
> i'm a beginner.
> Regards,
> Felix Lazaro Carbonell
>> Site filtering issue
>
>> I am having issues with filtering of my websites. I have setup squid
>> 2.6.STABLE17 over a Fedora 8 machine. Below is my squid.conf file.
>> Squid seems to log all sites that are going out from other stations
>> but does not filter and of the sites. They all go through.
>> My denied_domains.acl has
>> .youtube.com
>> .hotmail.com
>> .live.com
>> But these sites don't seem to get blocked out. I had also issues this
>> command thinking that it was to do with Iptables
>> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
>> 192.168.1.1:3128
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
>> --to-port 3128
>
>> Initially squid wouldn't work; everything would be blocked so I
>> disable the firewall which allowed access. SO I put a custom allow to
>> port 3128 which opened it up but to all sites.
>
>> --------------
>> squid.conf
>> --------------
>> visible_hostname vanderpolgroup
>
>> http_port 3128
>
>> maximum_object_size 32768 KB
>> maximum_object_size_in_memory 128 KB
>
>> cache_mem 256 MB
>> cache_dir ufs /var/spool/squid 70000 32 512
>
>> cache_access_log /var/log/squid/access.log
>> cache_log /var/log/squid/cache.log
>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl our_network src 192.168.10.0/24
>> acl to_localhost dst 127.0.0.0/8
>
>> acl SSL_ports port 443 # SSL
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl Safe_ports port 563 70
>> acl CONNECT method CONNECT
>
>
>> acl custom_allowed_domains dstdomain "/etc/squid/allowed_domains.acl"
>> acl custom_denied_domains dstdomain "/etc/squid/denied_domains.acl"
>
>> acl ads_blacklist dstdom_regex "/etc/squid/blacklist/ads/domains"
>> acl aggressive_blacklist dstdom_regex
>> "/etc/squid/blacklist/aggressive/domains"
>> acl audio-video_blacklist dstdom_regex
>> "/etc/squid/blacklist/audio-video/domains"
>> acl drugs_blacklist dstdom_regex "/etc/squid/blacklist/drugs/domains"
>> acl gambling_blacklist dstdom_regex
>> "/etc/squid/blacklist/gambling/domains"
>> acl hacking_blacklist dstdom_regex
>> "/etc/squid/blacklist/hacking/domains"
>> acl mail_blacklist dstdom_regex "/etc/squid/blacklist/mail/domains"
>> acl porn_blacklist dstdom_regex "/etc/squid/blacklist/porn/domains"
>> acl proxy_blacklist dstdom_regex "/etc/squid/blacklist/proxy/domains"
>> acl redirector_blacklist dstdom_regex
>> "/etc/squid/blacklist/redirector/domains"
>> acl spyware_blacklist dstdom_regex
>> "/etc/squid/blacklist/spyware/domains"
>> acl suspect_blacklist dstdom_regex
>> "/etc/squid/blacklist/suspect/domains"
>> acl violence_blacklist dstdom_regex
>> "/etc/squid/blacklist/violence/domains"
>> acl warez_blacklist dstdom_regex "/etc/squid/blacklist/warez/domains"
>> acl networking_blacklist dstdom_regex
>> "/etc/squid/blacklist/networking/domains"
Please go through those lists carefully and consider if you actually
for-real need the regex. 'dstdomain' can take whole domains or wildcard
sub-domains and is VERY much more efficient than any regex.
>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow our_network
>> http_access deny all
None of the http_access lines after this will ever match. 'deny all' does
exactly what it sounds like.
You want 'deny all' to be the very last http_access config line.
And the 'allow our_network' should probably join it at the end. Perhapse
with a 'deny !our_network' left here to speed up denial of external
connection attempts.
>> icp_access allow all
>> #miss_access allow all
>
>> http_access allow custom_allowed_domains
>> http_access deny custom_denied_domains
>
>> http_access deny ads_blacklist
>> http_access deny aggressive_blacklist
>> http_access deny audio-video_blacklist
>> http_access deny drugs_blacklist
>> http_access deny gambling_blacklist
>> http_access deny hacking_blacklist
>> http_access deny mail_blacklist
>> http_access deny porn_blacklist
>> http_access deny proxy_blacklist
>> http_access deny redirector_blacklist
>> http_access deny spyware_blacklist
>> http_access deny suspect_blacklist
>> http_access deny violence_blacklist
>> http_access deny warez_blacklist
>> http_access deny networking_blacklist
>
>> cache_mgr abc_at_abc.com
>
>
>> Thanks
>> Sheldon
>
>
>
>
>
>
Received on Thu May 22 2008 - 03:27:55 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT