Re: [squid-users] Block HTTPS website

From: Malvin Rito <mrito_at_mail.altcladding.com.ph>
Date: Mon, 23 May 2011 18:15:32 +0800

Thanks Amos. By the way my squid is currently setup as a Transparent
Proxy do you think it will block HTTPS connections? How?

Sorry I was just not too familiar with Squid config.

Regards,
Malvin

On 5/20/2011 9:06 PM, Amos Jeffries wrote:
> On 20/05/11 21:54, Malvin Rito wrote:
>> Here is my config:
>>
>
> Okay, should have worked where you placed it.
>
> What you need to do is add ".facebook.com" on a line in
> /etc/squid/restricted-sites.acl
> That will block facebook.com access for both HTTP and HTTPS with your
> config. The "." at the start of the value is important.
>
> Also, check that there is no ".com" or ".facebook.com" entry in
> /etc/squid/whitelist.acl
>
> NOTE: Blocking HTTPS only works if the browser is passing HTTPS
> through Squid. If the browser is going directly to port 443 on its
> own, Squid cannot help.
>
>
> The config as a whole has a lot of speed problems. The rest of this
> mail is some extra hints about changes that will speed up the proxy ...
>
> <snip>
>> #Allow certain Host on denied site
>> acl NO_RESTRICTIONS src 172.16.9.52
>> acl NO_RESTRICTIONS src 172.16.9.121
>> acl NO_RESTRICTIONS src 172.16.9.199
>> acl NO_RESTRICTIONS src 172.16.9.106
>> acl NO_RESTRICTIONS src 172.16.9.122
>> acl NO_RESTRICTIONS src 172.16.9.100
>> acl NO_RESTRICTIONS src 172.16.9.244
>> acl NO_RESTRICTIONS src 172.16.9.241
>> acl NO_RESTRICTIONS src 172.16.9.239
>> acl NO_RESTRICTIONS src 172.16.9.19 # IP Address assigned to
>>
>> # unblock some sites during launch time
>> acl LUNCHTIME time MTWHFSA 12:01-13:00
>> acl OFFICEHOUR1 time MTWHFSA 13:01-23:59
>> acl OFFICEHOUR2 time MTWHFSA 00:01-12:00
>>
>> no_cache deny all
>
> "no_cache" is obsolete.
> If you want to not cache, change it to "cache deny all".
>
> If you want Squid to optimize speed a bit by caching some items for
> fast re-use remove the line.
>
>> acl whitelist dstdomain "/etc/squid/whitelist.acl"
>>
> <snip>
>> #Block Restricted Websites by Domain Name
>> acl BadSites dstdomain "/etc/squid/restricted-sites.acl"
>> deny_info ERR_BLOCKED_SITES BadSites
> <snip>
>>
>> #Block Restricted Websites by IP Address
>> acl BadSitesIP dstdomain "/etc/squid/restricted-IPaddress.acl"
>> deny_info ERR_BLOCKED_SITES BadSitesIP
>
> You can drop the "BadSitesIP" ACL entirely.
>
> Add this instead:
> acl BadSites dstdomain "/etc/squid/restricted-IPaddress.acl"
>
> NP: there are also http_access changes which need to happen with that
> name change.
>
> <snip>
>> http_access allow whitelist
>
> I assume "NO_RESTRICTIONS" means you want those hosts not to be
> restricted.
>
> To do that you want to put this line here:
> http_access allow NO_RESTRICTIONS
>
> ..' then you can remove it from all the later http_access lines:
>
>> http_access deny blockfiles !NO_RESTRICTIONS
>> http_access deny BadSites OFFICEHOUR1 !NO_RESTRICTIONS
>> http_access deny BadSites OFFICEHOUR2 !NO_RESTRICTIONS
>> #http_access deny restricted_HTTPS_sites OFFICEHOUR1
>> #http_access deny restricted_HTTPS_sites OFFICEHOUR2
>> http_access allow BadSites LUNCHTIME !NO_RESTRICTIONS
>> http_access deny BadSitesIP !NO_RESTRICTIONS
>> http_access deny BlockSite_ByKeyword !NO_RESTRICTIONS
>>
> <snip>
>
> Those few dozen "Team" http_access lines can be combined into one
> single ACL. Like this:
>
>
> #Joy Team
> acl RestrictedHost src 172.16.9.82 # jcpinto
> acl RestrictedHost src 172.16.9.86 # _mmvillar
> acl RestrictedHost src 172.16.9.116 # _djcarino
>
> #nINETH Team
> acl RestrictedHost src 172.16.9.85 # _ebinay
>
> #Thes Team
> #acl RestrictedHost src 172.16.9.90 # _aaquino
> acl RestrictedHost src 172.16.9.91 # _rbasa
> acl RestrictedHost src 172.16.9.81 # _jbadong
> acl RestrictedHost src 172.16.9.104 # _dbalino
> #acl RestrictedHost src 172.16.9.115 # _rfrancisco
>
> #Richard A. Team
> #acl RestrictedHost src 172.16.9.101 # _raraw
> acl RestrictedHost src 172.16.9.35 # _lmusni
> acl RestrictedHost src 172.16.9.100 # _mmendoza
>
> #Jhun Team
> acl RestrictedHost src 172.16.9.119 # _jcruzado
> acl RestrictedHost src 172.16.9.109 # _glustre
> acl RestrictedHost src 172.16.9.111 # _jrmaganis
> acl RestrictedHost src 172.16.9.252 # _earellano
> acl RestrictedHost src 172.16.9.80 # _jmprimicias
>
> #Ranel Team
> acl RestrictedHost src 172.16.9.114 # _jbautista
> acl RestrictedHost src 172.16.9.117 # _jlmallari
> acl RestrictedHost src 172.16.9.118 # _dcuna
>
> #Marge Team
> acl RestrictedHost src 172.16.9.92 # _vescolano
> #acl RestrictedHost src 172.16.9.87 # _eselda
>
> http_access deny RestrictedHost
>
>
> Taddah! about 15 times faster.
>
>
> <snip>
>> # --------END OF ALT CLADDING, INC. ACL
>> DEFINITION-------------------------------------------
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>> #
>> # Example rule allowing access from your local networks.
>> # Adapt to list your (internal) IP networks from where browsing
>> # should be allowed
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>
> Hmm, you can drop the "localnet" ACL completely.
> You defined it already with your own name of "lan".
>
>> #
>> acl TOR_PORT1 port 9001
>> acl TOR_PORT2 port 9030
>> acl TOR_PORT3 port 9051
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>
> Instead of making new ACL and checking them separately you can just
> alter the Safe_ports to exclude TOR.
>
> Remove:
> acl Safe_ports port 1025-65535 # unregistered ports
>
> Add:
> acl Safe_ports port 1025-9000
> acl Safe_ports port 9002-9029
> acl Safe_ports port 9031-9050
> acl Safe_ports port 9052-65535
>
> Now you can also remove the TOR_PORT* http_access lines later on.
>
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> # TAG: http_access
>> # Allowing or Denying access based on defined access lists
>> #
>> # Access to the HTTP port:
>> # http_access allow|deny [!]aclname ...
>> #
>> # NOTE on default values:
>> #
>> # If there are no "access" lines present, the default is to deny
>> # the request.
>> #
>> # If none of the "access" lines cause a match, the default is the
>> # opposite of the last line in the list. If the last line was
>> # deny, the default is allow. Conversely, if the last line
>> # is allow, the default will be deny. For these reasons, it is a
>> # good idea to have an "deny all" or "allow all" entry at the end
>> # of your access lists to avoid potential confusion.
>> #
>> #Default:
>> # http_access deny all
>> #
>> #Recommended minimum configuration:
>> #
>> # Only allow cachemgr access from localhost
>> http_access allow manager localhost
>> http_access deny manager
>> # Deny requests to unknown ports
>> http_access deny TOR_PORT1
>> http_access deny TOR_PORT2
>> http_access deny TOR_PORT3
>> http_access deny !Safe_ports
>> # Deny CONNECT to other than SSL ports
>> http_access deny CONNECT !SSL_ports
>> #
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a local user
>> #http_access deny to_localhost
>> #
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>
>
> Hmm, this is where the whole section earlier called "ALT CLADDING,
> INC. ACL DEFINITION" is supposed to be. Right after the security
> checks that the host is behaving itself (safe SSL and port usage).
>
>> # Example rule allowing access from your local networks.
>> # Adapt localnet in the ACL section to list your (internal) IP networks
>> # from where browsing should be allowed
>> http_access allow localnet
>
> "localnet" can be erased since you are calling it "lan" instead.
>
>>
>> # And finally deny all other access to this proxy
>>
>> # -----------------------------
>> # DEFINED FOR ALT CLADDING
>> http_access allow localhost
>> http_access allow lan
>> # -----------------------------
>>
>>
>> http_access deny all
>>
>
>
> Amos
Received on Mon May 23 2011 - 10:17:26 MDT

This archive was generated by hypermail 2.2.0 : Mon May 23 2011 - 12:00:02 MDT