Re: [squid-users] Site filtering issue.... Resolved

From: Sheldon Carvalho <sheldon.sqid@dont-contact.us>
Date: Tue, 15 Apr 2008 14:21:00 -0700

Thanks for the reply Felix. I guess that must have helped. I did as
you said but that seem to block all the sites. Which made me think
that the order of the commands make a difference. Which is why, I
followed the default squid.conf file and put the commands in some what
the same order as it is on there. I also had to add in some other
syntax's
Well, I have a working squid now. It was just the order that was
messing up everything.
Here is the working config.
I will try to setup SARG along with squid. Lets hope it goes well.

squid.conf
--------------

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl our_network src 192.168.10.0/24
acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 # SSL
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl custom_allowed_domains dstdomain "/etc/squid/allowed_domains.acl"
acl custom_denied_domains dstdomain "/etc/squid/denied_domains.acl"

acl ads_blacklist dstdom_regex "/etc/squid/blacklist/ads/domains"
acl aggressive_blacklist dstdom_regex "/etc/squid/blacklist/aggressive/domains"
acl audio-video_blacklist dstdom_regex
"/etc/squid/blacklist/audio-video/domains"
acl drugs_blacklist dstdom_regex "/etc/squid/blacklist/drugs/domains"
acl gambling_blacklist dstdom_regex "/etc/squid/blacklist/gambling/domains"
acl hacking_blacklist dstdom_regex "/etc/squid/blacklist/hacking/domains"
acl mail_blacklist dstdom_regex "/etc/squid/blacklist/mail/domains"
acl torrent_blacklist dstdom_regex "/etc/squid/blacklist/torrent/domains"

http_access allow custom_allowed_domains
http_access deny custom_denied_domains

http_access deny ads_blacklist
http_access deny gambling_blacklist
http_access deny hacking_blacklist
http_access deny mail_blacklist
http_access deny torrent_blacklist

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow our_network
http_access deny all
icp_access allow all

http_port 3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache_mem 256 MB
cache_dir ufs /var/spool/squid 70000 32 512
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/spool/squid

maximum_object_size 32768 KB
maximum_object_size_in_memory 128 KB

cache_mgr abc@abc.com

Thanks
Sheldon
-------------------------------------------

On Tue, Apr 15, 2008 at 12:49 PM, Felix Lazaro Carbonell Carbonell
<felix@epepm.cupet.cu> wrote:
>
>
> Shelton, may be the tag
> http_access allow our_network
> should go after and not before (or may be you don't need it at all)
> http_access denied custom_denied_domains dst "etc/squid/denied_domains.acl"
>
>
> hope to be helpful.
> i'm a beginner.
> Regards,
> Felix Lazaro Carbonell
> > Site filtering issue
>
> > I am having issues with filtering of my websites. I have setup squid
> > 2.6.STABLE17 over a Fedora 8 machine. Below is my squid.conf file.
> > Squid seems to log all sites that are going out from other stations
> > but does not filter and of the sites. They all go through.
> > My denied_domains.acl has
> > .youtube.com
> > .hotmail.com
> > .live.com
> > But these sites don't seem to get blocked out. I had also issues this
> > command thinking that it was to do with Iptables
> > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> > 192.168.1.1:3128
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> > --to-port 3128
>
> > Initially squid wouldn't work; everything would be blocked so I
> > disable the firewall which allowed access. SO I put a custom allow to
> > port 3128 which opened it up but to all sites.
>
> > --------------
> > squid.conf
> > --------------
> > visible_hostname vanderpolgroup
>
> > http_port 3128
>
> > maximum_object_size 32768 KB
> > maximum_object_size_in_memory 128 KB
>
> > cache_mem 256 MB
> > cache_dir ufs /var/spool/squid 70000 32 512
>
> > cache_access_log /var/log/squid/access.log
> > cache_log /var/log/squid/cache.log
>
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl our_network src 192.168.10.0/24
> > acl to_localhost dst 127.0.0.0/8
>
> > acl SSL_ports port 443 # SSL
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl Safe_ports port 563 70
> > acl CONNECT method CONNECT
>
>
> > acl custom_allowed_domains dstdomain "/etc/squid/allowed_domains.acl"
> > acl custom_denied_domains dstdomain "/etc/squid/denied_domains.acl"
>
> ....
>
> > http_access allow custom_allowed_domains
> > http_access deny custom_denied_domains
>
> ....
>
>
> > Thanks
> > Sheldon
>
>
>
>
>
Received on Tue Apr 22 2008 - 13:47:52 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT