Re: [squid-users] ADWARE

From: Tim Neto <[email protected]>
Date: Fri, 10 Dec 2004 16:58:18 -0500

Hello Ma.Teo (aka: Loop),

One, when using "dstdomain", I would recommend using a domain reference
and not a host reference.
A domain reference for LavaSoft would be like: .lavasoftusa.com
A host reference, like what you used, is: www.lavasoftusa.com

Hopefully what you've shown in you last message is only a fragment of
your complete Squid configuration, if not you are missing many things.

In your last message, the segment you state works, is not even using any
control for the site "www.lavasoftusa.com". The acl you defined is not
used.

Why the second set of configuration syntax does not work, I am not
sure. A more complete squid.conf would be:
===================================================================================
# ----------------------------------------------------------------------
http_port 10.1.0.10:8080

# ----------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_effective_user squid
cache_dir ufs C:/squid/var 100 16 256
cache_access_log C:/squid/var/access.log
cache_log C:/squid/var/cache.log
cache_store_log C:/squid/var/store.log

cache_mgr ProxyMaster@adinet.com.uy
#
cachemgr_passwd password 5min
cachemgr_passwd password 60min
cachemgr_passwd password asndb
cachemgr_passwd password authenticator
cachemgr_passwd password cbdata
cachemgr_passwd password client_list
cachemgr_passwd password comm_incoming
cachemgr_passwd password config *
cachemgr_passwd password counters
cachemgr_passwd password delay
cachemgr_passwd password digest_stats
cachemgr_passwd password dns
cachemgr_passwd password events
cachemgr_passwd password filedescriptors
cachemgr_passwd password fqdncache
cachemgr_passwd password histograms
cachemgr_passwd password http_headers
cachemgr_passwd password info
cachemgr_passwd password io
cachemgr_passwd password ipcache
cachemgr_passwd password mem
cachemgr_passwd password menu
cachemgr_passwd password netdb
cachemgr_passwd password non_peers
cachemgr_passwd password objects
cachemgr_passwd password pconn
cachemgr_passwd password peer_select
cachemgr_passwd password redirector
cachemgr_passwd password refresh
cachemgr_passwd password server_list
# cachemgr_passwd password shutdown *
cachemgr_passwd password store_digest
cachemgr_passwd password storedir
cachemgr_passwd password utilization
cachemgr_passwd password via_headers
cachemgr_passwd password vm_objects
# ----------------------------------------------------------------------
auth_param basic program C:/squid/libexec/squid_ldap_auth.exe -h
ldap.adinet.com.uy -p 389 -P -b o=adinet -f "(uid=%s)"

auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minute

external_acl_type ldap_group %LOGIN
C:/squid/libexec/squid_ldap_group.exe -h ldap.adinet.com.uy -p 389 -P -b
o=adinet -F "(uid=%s)" -f
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# ----------------------------------------------------------------------
# Default Squid ACL's
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 443 563
acl Safe_ports port 591
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT

# ----------------------------------------------------------------------
# KCL Defined ACL's and http_access definitions.
acl kcl_users proxy_auth REQUIRED
acl kcl_networks src 10.1.0.0/16
acl dmz_networks src 100.200.10.46/28

# LDAP group acl definitions.
#
# Proxy
acl proxy_groups external ldap_group proxy proxy_a proxy_b proxy_c

http_access allow manager localhost
http_access allow manager kcl_networks
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# ----------------------------------------------------------------------
# Note, deny rules must exist before any allow rules.
#
acl no_kazaa dstdomain .kazaa.com
acl no_puretracks dstdomain .puretracks.com
http_access deny no_kazaa
http_access deny no_puretracks

#
# Open access web addresses.
#
acl open_lavasoft_de_edgesuite_net dstdomain .lavasoft.de.edgesuite.net
http_access allow kcl_networks open_lavasoft_de_edgesuite_net

# ----------------------------------------------------------------------
# Allow all proxy users to all web addresses.
#
http_access allow kcl_networks proxy_groups

# ----------------------------------------------------------------------
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

# ----------------------------------------------------------------------
coredump_dir C:/squid/var
===================================================================================

Note, this example is from a SquidNT installation. The path log files,
data stores, and external helpers would need to be adjusted for a UNIX
(LINUX) deployment.

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

loop wrote:

>TIM:
>
>
>If i put this:
>
>acl localnet src 10.1.0.0/16
>acl lavasoft dstdomain www.lavasoftusa.com
>http_access allow localnet
>
>The AD-AWARE does work fine, but if i put this (you proposal):
>
>acl localnet src 10.1.0.0/16
>acl lavasoft dstdomain www.lavasoftusa.com
>http_access allow localnet lavasoft
>
>The AD-AWARE does not work.
>Why?, because with the first setup (without "lavasoft" parameter) i permit
>to all "localnet" without authentication.
>
>What can i do?
>
>loop.-
>
>
>
>
>
>
>
>
>----- Original Message -----
>From: "Tim Neto" <tneto@komatsu.ca>
>To: "loop" <ma.teo@adinet.com.uy>; <squid-users@squid-cache.org>
>Sent: Friday, December 10, 2004 1:28 PM
>Subject: Re: [squid-users] ADWARE
>
>
>
>
>>Hello,
>>
>>Are you using authentication with your Squid proxying? If so, using an
>>acl and an http_access allow unauthenticated access to LavaSoft's update
>>site.
>>Like:
>> acl open_lavasoft_de_edgesuite_net dstdomain
>>.lavasoft.de.edgesuite.net
>>and
>> http_access allow mynetworks open_lavasoft_de_edgesuite_net
>>
>>Tim
>>
>>-----------------------------------------------------------
>>Timothy E. Neto
>> Computer Systems Engineer Komatsu Canada Limited
>> Ph#: 905-625-6292 x265 1725B Sismet Road
>> Fax: 905-625-6348 Mississauga, Canada
>> E-Mail: tneto@komatsu.ca L4W 1P9
>>-----------------------------------------------------------
>>
>>
>>
>>loop wrote:
>>
>>
>>
>>>Sorry the software name is: AD-AWARE of LAVASOFT.
>>>
>>>
>>>loop.-
>>>
>>>
>>>
>>>----- Original Message -----
>>>From: "loop" <ma.teo@adinet.com.uy>
>>>To: <squid-users@squid-cache.org>
>>>Sent: Friday, December 10, 2004 2:04 PM
>>>Subject: [squid-users] ADWARE
>>>
>>>
>>>
>>>
>>>
>>>
>>>>HI, GUYS...
>>>>
>>>>
>>>>SOMEBODY KNOWS WHY I CANNOT UPDATE THE "ADWARE SOFTWARE" BEHIND THE
>>>>
>>>>
>SQUID?
>
>
>>>>THE SQUID VERSION IS: Squid Cache: Version 2.5.STABLE5.
>>>>
>>>>Thanks...a lot
>>>>
>>>>loop.-
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>
>
>
>
Received on Fri Dec 10 2004 - 14:58:13 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST