Re: [squid-users] acl dstdomains does not block!

From: Pandu E Poluan <pandu_poluan_at_paninsekuritas.co.id>
Date: Mon, 06 Apr 2009 21:25:08 +0700

I see that the very first http_access is this:

http_access allow localnet

That means all requests coming from the localnet will be allowed. Assuming you've set localnet correctly (i.e. the IP address range covers your LAN), then that rule practically allows every URL; the http_access directives after that will not be processed.

CMIIW

Rgds

[p]

Leslie Jensen wrote:
>
>> Leslie Jensen wrote:
>>
>>> Hello
>>>
>>> My Proxy, Squid-3.0.13 on FreeBSD 7.1-RELEASE-p4, is running fine but I
>>>
> can't get the folowing to work.
>
>>> # acl blocked_sites dstdomain .aftonbladet.se.
>>> acl blocked_sites dstdomain "/usr/local/etc/squid/dstdomain"
>>>
> deny_info ERR_ACCESS_DENIED blocked_sites
>
>>> http_access deny blocked_sites
>>>
>>> I've tried both to list the domain in squid.conf and in the file
>>>
> "/usr/local/etc/squid/dstdomain"
>
>>> None of the options seems to work, no blocking occours. If I put in the
>>>
> complete path to the ERR_ACCESS_DENIED, I get an error when I do squid
> -NCd1
>
>>> I suspect that maybe the order of the acl's can affect but I need some
>>>
> help to diagnose the problem.
>
>> Yes order is important. Squid processes http_access stop-down and first
>>
> match wins.
>
>> ERR_ACCESS_DENIED is the default page displayed for "http_access deny".
>>
> you don't have to specify its use.
>
>> Amos
>> --
>>
>
> Do I dare ask if someone will take a look at my conf file?
>
> I think I'm going blind looking at my rules! I believe I've done it right,
> but obviously I have not. I need the acl dstdomain to work and I can't see
> where I'm wrong.
>
> I'v tried to define only one domain and I've tried with a file with domain
> names, none of them seem to work.
>
> I've also considered the order of my rules but I can't get it to work.
>
> Please help! Thanks
>
> /Leslie
>
>
> ----------------- snip -----------------
> # Squid listens on the loopback and on
> # the internal interface (8080 port)
> #
> # If you run Squid on a dual-homed machine with an internal
> # and an external interface we recommend you to specify the
> # internal address:port in http_port.
> # This way Squid will only be visible on the internal address.
> # transparent to work with PF
> #
> http_port 8080
> # http_port 127.0.0.1:8080 transparent
> # http_port 192.168.0.1:8080 transparent
> #
> # Words defined in this tag when matched in the URLs,
> # directs squid not to query caches.
> # For example dynamic content - php or asp pages.
> #
> hierarchy_stoplist cgi-bin ? php asp
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> #
> # Specify the amount of RAM, to be used for caching the
> # so called: In-Transit objects, Hot Objects,
> # Negative-Cached objects.
> #
> cache_mem 1024 MB
> #
> # If a file size is less than - 1000 MB,
> # squid will place it in cache
> #
> maximum_object_size 1000 MB
> #
> # Define the path to cache directory where all objects
> # which are to be cached are stored:
> # 102400 - is the amount of disk space (MB)
> # to use under /usr/local/squid/cache directory
> # 16 - is the number of first-level subdirectories
> # which will be created under the
> # /usr/local/squid/cache directory
> # 256 - is the number of second-level
> # subdirectories which will be created under
> # each first-level directory
> #
> cache_dir ufs /usr/local/squid/cache 102400 16 256
> #
> # To disable, enter "none". There are not really
> # utilities to analyze this data, so you can safely
> # disable it.
> #
> cache_store_log none
> #
> # Log client request activities to the
> # /usr/local/squid/logs/access.log file
> # using the squid log format
> #
> access_log /usr/local/squid/logs/access.log squid
> #
> logfile_rotate 2
> #
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> #
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> #
> # Define access control lists
> # acl all is defined by default in version 3.0 STABLE
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> #
> # Allow access from your local network.
> # Don't write netmask 192.168.0.0/12 in 3.0STABLE
> #
> # RFC1918 internal network
> #
> acl localnet src 192.168.0.1-192.168.0.254
> #
> # Allow localnet access
> #
> http_access allow localnet
> #
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> # acl Safe_ports port 70 # gopher
> # acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> # acl Safe_ports port 280 # http-mgmt
> # acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> # acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl PURGE method PURGE
> #
> # Allowing or Denying access based on defined access lists
> # Recommended minimum configuration:
> # Only allow cachemgr access from localhost
> #
> http_access allow manager localhost
> http_access deny manager
> #
> # Only allow purge requests from localhost
> #
> http_access allow PURGE localhost
> http_access deny PURGE
> #
> # Deny requests to unknown ports
> #
> http_access deny !Safe_ports
> #
> # Deny CONNECT to other than SSL ports
> #
> http_access deny CONNECT !SSL_ports
> #
> # Allow the localhost to have access by default
> #
> http_access allow localhost
> #
> # If we want to block certain sites.
> #
> # acl blockedsites dstdomain .aftonbladet.se.
> acl blockedsites dstdomain .squid-cache.org
> # acl blockedsites dstdomain "/usr/local/etc/squid/dstdomain"
> #
> # Show message when blocked
> # deny_info ERR_ACCESS_DENIED blocked_sites
> #
> http_access deny blockedsites
> #
> # And deny all other access to this proxy
> #
> http_access deny all
> #
> #
> # Allow ICP queries from local networks only
> #
> icp_access allow localnet
> icp_access deny all
> #
> # Define the hostname that will be shown in
> # error messages etc.
> #
> visible_hostname proxy1.somewhere.com
> #
> # Email-address of local cache manager who will receive
> # mail if the cache dies.
> #
> cache_mgr john.doe_at_somewhere.com
> #
> # Speed up the writing of some log files
> #
> buffered_logs on
> #
> coredump_dir /usr/local/squid/cache
> #
>
> ----------------- snip -----------------
>
>
>
>
>
>
>

-- 
*Pandu E Poluan*
*Panin Sekuritas*
IT Manager / Operations & Audit
Phone : 	+62-21-515-3055 ext 135
Fax : 	+62-21-515-3061
Mobile : 	+62-856-8400-426
e-mail : 	pandu_poluan_at_paninsekuritas.co.id 
<mailto:pandu_poluan_at_paninsekuritas.co.id>
	
	
	
	
Y!M : 	hands0me_irc
MSN : 	si-ganteng_at_live.com
GTalk : 	pandu.cakep_at_gmail.com
Received on Mon Apr 06 2009 - 14:43:46 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 06 2009 - 12:00:02 MDT