[squid-users] allowed sites acl gives problem from Benedict simon on 2010-10-22 (squid-users)

From: Benedict simon <simon_at_kmun.gov.kw>
Date: Fri, 22 Oct 2010 14:18:22 +0300

Dear All,

I been using using for quite some time and itsa excellent stable product

by the way I do have some diffculty

I want to allow only specific sites to specific machines

let me explain

i have 3 machines with ip of

172.16.2.22, 172.16.2.23, 172.16.2.24

these three machine have to be able to have acceo only a few sites

like www.yahoo.com, www.google.com and www.cnn.com and probably a couple
will be added latter

so i did add a acl like below

acl sunray_allowed src 172.16.2.22 172.16.2.23 172.16.2.24
acl good_sites url_regex "/etc/squid/allowed-sites.squid"
http_access allow sunray_allowed good_sites

here is my allowed-sites.squid file

.yahoo.com
.google.com
.cnn.com

now when i go to www.google.com it works fine

but when i go to yahoo or cnn the page is not displayed properly

the squid access.log says
-----------------------------------------
287745303.890 0 172.16.2.23 TCP_DENIED/403 1311 GET
http://i.cdn.turner.com/cnn/.element/js/3.0/s_code.js - NONE/- text/html
1287745303.903 0 172.16.2.23 TCP_DENIED/403 1309 GET
http://content.dl-rms.com/rms/mother/5721/nodetag.js - NONE/- text/html
1287745303.911 0 172.16.2.23 TCP_DENIED/403 1333 GET
http://i.cdn.turner.com/cnn/.element/js/3.0/hpsectiontracking.js - NONE/-
text/html
1287745303.916 0 172.16.2.23 TCP_DENIED/403 1285 GET
http://i.cdn.turner.com/cnn/images/1.gif - NONE/- text/html
1287745303.917 0 172.16.2.23 TCP_DENIED/403 1275 GET
http://js.revsci.net/gateway/gw.js? - NONE/- text/html
1287745303.917 997 172.16.2.23 TCP_MISS/000 0 GET
http://www.cnn.com/ght= - DIRECT/157.166.224.26 -
1287745304.086 724 172.16.2.23 TCP_MISS/302 730 GET
http://www.cnn.com/.element/img/3.0/1px.gif - DIRECT/157.166.226.25
text/html
1287745304.999 913 172.16.2.23 TCP_REFRESH_HIT/304 426 GET
http://edition.cnn.com/.element/img/3.0/1px.gif - DIRECT/157.166.224.45
image/gif
1287745305.346 327 172.16.2.23 TCP_REFRESH_MISS/302 727 GET
http://www.cnn.com/tools/search/cnncom.xml - DIRECT/157.166.226.25
text/html
------------------------
other sites are denied as normal which is perfect.

i also tried usin dstdomain in place of url_regex but the same problem

I would really apprecite if someone could help me

regards

simon

-- 
Network ADMIN
-------------
KUWAIT MUNICIPALITY:
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Received on Fri Oct 22 2010 - 10:54:53 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 22 2010 - 12:00:03 MDT