Re: [squid-users] Site filtering issue

From: Felix Lazaro Carbonell Carbonell <felix@dont-contact.us>
Date: Tue, 15 Apr 2008 14:26:45 -0500

Shelton, may be the tag
http_access allow our_network
should go after and not before (or may be you don't need it at all)
http_access denied custom_denied_domains dst "etc/squid/denied_domains.acl"

hope to be helpful.
i'm a beginner.
Regards,
Felix Lazaro Carbonell
> Site filtering issue

> I am having issues with filtering of my websites. I have setup squid
> 2.6.STABLE17 over a Fedora 8 machine. Below is my squid.conf file.
> Squid seems to log all sites that are going out from other stations
> but does not filter and of the sites. They all go through.
> My denied_domains.acl has
> .youtube.com
> .hotmail.com
> .live.com
> But these sites don't seem to get blocked out. I had also issues this
> command thinking that it was to do with Iptables
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> 192.168.1.1:3128
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128

> Initially squid wouldn't work; everything would be blocked so I
> disable the firewall which allowed access. SO I put a custom allow to
> port 3128 which opened it up but to all sites.

> --------------
> squid.conf
> --------------
> visible_hostname vanderpolgroup

> http_port 3128

> maximum_object_size 32768 KB
> maximum_object_size_in_memory 128 KB

> cache_mem 256 MB
> cache_dir ufs /var/spool/squid 70000 32 512

> cache_access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log

> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl our_network src 192.168.10.0/24
> acl to_localhost dst 127.0.0.0/8

> acl SSL_ports port 443 # SSL
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 563 70
> acl CONNECT method CONNECT

> acl custom_allowed_domains dstdomain "/etc/squid/allowed_domains.acl"
> acl custom_denied_domains dstdomain "/etc/squid/denied_domains.acl"

> acl ads_blacklist dstdom_regex "/etc/squid/blacklist/ads/domains"
> acl aggressive_blacklist dstdom_regex
> "/etc/squid/blacklist/aggressive/domains"
> acl audio-video_blacklist dstdom_regex
> "/etc/squid/blacklist/audio-video/domains"
> acl drugs_blacklist dstdom_regex "/etc/squid/blacklist/drugs/domains"
> acl gambling_blacklist dstdom_regex
> "/etc/squid/blacklist/gambling/domains"
> acl hacking_blacklist dstdom_regex
> "/etc/squid/blacklist/hacking/domains"
> acl mail_blacklist dstdom_regex "/etc/squid/blacklist/mail/domains"
> acl porn_blacklist dstdom_regex "/etc/squid/blacklist/porn/domains"
> acl proxy_blacklist dstdom_regex "/etc/squid/blacklist/proxy/domains"
> acl redirector_blacklist dstdom_regex
> "/etc/squid/blacklist/redirector/domains"
> acl spyware_blacklist dstdom_regex
> "/etc/squid/blacklist/spyware/domains"
> acl suspect_blacklist dstdom_regex
> "/etc/squid/blacklist/suspect/domains"
> acl violence_blacklist dstdom_regex
> "/etc/squid/blacklist/violence/domains"
> acl warez_blacklist dstdom_regex "/etc/squid/blacklist/warez/domains"
> acl networking_blacklist dstdom_regex
> "/etc/squid/blacklist/networking/domains"

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow our_network
> http_access deny all
> icp_access allow all
> #miss_access allow all

> http_access allow custom_allowed_domains
> http_access deny custom_denied_domains

> http_access deny ads_blacklist
> http_access deny aggressive_blacklist
> http_access deny audio-video_blacklist
> http_access deny drugs_blacklist
> http_access deny gambling_blacklist
> http_access deny hacking_blacklist
> http_access deny mail_blacklist
> http_access deny porn_blacklist
> http_access deny proxy_blacklist
> http_access deny redirector_blacklist
> http_access deny spyware_blacklist
> http_access deny suspect_blacklist
> http_access deny violence_blacklist
> http_access deny warez_blacklist
> http_access deny networking_blacklist

> cache_mgr abc@abc.com

> Thanks
> Sheldon
Received on Tue Apr 22 2008 - 15:09:12 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT