RE: [squid-users] SquidGuoard ignoring blacklist

From: SSCR Internet Admin <[email protected]>
Date: Tue, 4 Mar 2003 16:32:17 -0800

can y ou try include the squidGuard.log file?

-----Original Message-----
From: Dan Egli [mailto:dan@shortcircuit.dyndns.org]
Sent: Monday, March 03, 2003 10:34 PM
To: chastity-list@lists.sourceforge.net; squid-users@squid-cache.org
Subject: [squid-users] SquidGuoard ignoring blacklist

I'm trying to setup squidguard on my RH 8.0 box, and am having some
problems. Hopefully someone can tell me what I did wrong.

I have squid, squidGuard, and the chastity-list all installed, and it
looks ok, but when I try to visit any site on the blacklist from my
browser, I get through. Shouldn't I get an error indicating that access
was denied or something? I'm attaching the squid.conf and
squidGuard.conf files below, incase this helps.

--- Dan

squid.conf: (relevant portions at least)

# TAG: redirect_program
# Specify the location of the executable for the URL redirector.
# Since they can perform almost any function there isn't one included.
# See the Release-Notes for information on how to write one.
# By default, a redirector is not used.
#
#Default:
# none
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard-chastity.conf

# ACCESS CONTROLS
#
----------------------------------------------------------------------------
-

# TAG: acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#
# acltype is one of src dst srcdomain dstdomain url_pattern
# urlpath_pattern time port proto method browser user
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
# acl aclname dst ip-address/netmask ... (URL host's IP address)
# acl aclname myip ip-address/netmask ... (local socket IP address)
#
# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
# acl aclname dstdomain .foo.com ... # Destination server from URL
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used. The name "none" is used if the reverse lookup
# # fails.
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2
# acl aclname url_regex [-i] ^http:// ... # regex matching on
whole URL
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on
URL path
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname myport 3128 ... # (local socket TCP port)
# acl aclname proto HTTP FTP ...
# acl aclname method GET POST ...
# acl aclname browser [-i] regexp
# # pattern match on User-Agent header
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output.
# # use REQUIRED to accept any non-null ident.
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
# # those to mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname proxy_auth username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# # list of valid usernames
# # use REQUIRED to accept any valid username.
# #
# # NOTE: when a Proxy-Authentication header is sent but it is not
# # needed during ACL checking the username is NOT logged
# # in access.log.
# #
# # NOTE: proxy_auth requires a EXTERNAL authentication program
# # to check username/password combinations (see
# # authenticate_program).
# #
# # WARNING: proxy_auth can't be used in a transparent proxy. It
# # collides with any authentication done by origin servers. It may
# # seem like it works at first, but it doesn't.
#
# acl aclname snmp_community string ...
# # A community string to limit access to your SNMP Agent
# # Example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
# # more than <number> HTTP connections established.
#
# acl req_mime_type mime-type1 ...
# # regex match agains the mime type of the request generated
# # by the client. Can be used to detect file upload or some
# # types HTTP tunelling requests.
# # NOTE: This does NOT match the reply. You cannot use this
# # to match the returned file type.
#
#Examples:
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.0.0/255.255.255.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, then the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# And finally deny all other access to this proxy
http_access allow localhost
http_access allow localnet
http_access deny all

# TAG: icp_access
# Allowing or Denying access to the ICP port based on defined
# access lists
#
# icp_access allow|deny [!]aclname ...
#
# See http_access for details
#
#Default:
# icp_access deny all
#
#Allow ICP queries from eveyone
icp_access allow all

squidGuard.conf:

#----------------------------------------------------------------
# SquidGuard CONFIGURATION FILE
#----------------------------------------------------------------

# CONFIGURATION DIRECTORIES
dbhome /var/lib/chastity
logdir /var/log/squid

# TIME RULES:
# abbrev for weekdays:
# s = sun, m = mon, t =tue, w = wed, h = thu, f = fri, a = sat

time workhours {
        weekly s 09:30-12:00 13:00-19:00
        weekly m 09:00-12:00 13:00-19:00
        weekly t 09:00-11:00 12:00-19:00
        weekly w 09:00-12:00 12:00-18:00
        weekly h 09:00-13:00 13:00-18:00
        weekly f 09:00-12:00 13:30-18:00
        weekly a 08:20-13:00 13:30-19:00
}

# SOURCE ADDRESSES:
#src privilegedsource {
# iplist /var/lib/squidguard/db/privilegedsource/ips
#}

#src bannedsource {
# iplist /var/lib/squidguard/db/bannedsource/ips
#}

#src lansource {
# iplist /var/lib/squidguard/db/lansource/lan
#}

# DESTINATION CLASSES:

dest adult {
    domainlist adult/domains
    urllist adult/urls
    expressionlist adult/expressions
# log /var/log/squid/adult.log
}

dest audio-video {
    domainlist audio-video/domains
    urllist audio-video/urls
}

dest forums {
    domainlist forums/domains
    urllist forums/urls
    expressionlist forums/expressions
}

dest hacking {
    domainlist hacking/domains
    urllist hacking/urls
}

dest redirector {
    domainlist redirector/domains
    urllist redirector/urls
    expressionlist redirector/expressions
}

dest warez {
    domainlist warez/domains
    urllist warez/urls
}

dest ads {
    domainlist ads/domains
    urllist ads/urls
}

dest aggressive {
    domainlist aggressive/domains
    urllist aggressive/urls
}

dest drugs {
    domainlist drugs/domains
    urllist drugs/urls
}

dest gambling {
    domainlist gambling/domains
    urllist gambling/urls
}

dest violence {
    domainlist violence/domains
    urllist violence/urls
    expressionlist violence/expressions
}

# ACLs
acl {
# privilegedsource {
# pass !adult all
# redirect
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclas
s=%t&url=%u

#
# }

# bannedsource {
# pass none
# redirect
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclas
s=%t&url=%u

#
# }

# lansource {
# pass !adult !audio-video !forums !hacking !redirector !warez
!ads !aggressive !drugs !gambling !violence all
# redirect
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclas
s=%t&url=%u

# }

    default {
        pass !adult !audio-video !forums !hacking !redirector !warez
!ads !aggressive !drugs !gambling !violence all
        redirect
http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclas
s=%t&url=%u

    }
}

--
This message has been scanned for viruses and
dangerous contents on SSCR Email Scanner Server, and is
believed to be clean.
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003
-- 
This message has been scanned for viruses and
dangerous contents on SSCR Email Scanner Server, and is
believed to be clean.
Received on Tue Mar 04 2003 - 01:23:01 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:54 MST