Re: [squid-users] ACL Website Banning doesn't work

From: Christoph Haas <[email protected]>
Date: Wed, 10 May 2006 12:11:42 +0200

On Wed, May 10, 2006 at 03:23:18PM +1000, mark_brimblecombe wrote:
> I was woundering if someone could tell me what I'm doing
> wrong with my squid.conf file.

Yes. :) You need to keep in mind that "http_access" statements are
considered from top to bottom. The first line that matches the criteria
determines the action that is taken. Thus:

> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443 563
> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> #acl Safe_ports port 8080
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow password

You don't have an ACL called "password" defined but I blame that on
copy/paste and assume that you meant the "acl user_passwords" that you list
later in your config.

So if anyone authenticates successfully the access is granted and further
"http_access" rules are not considered.

> acl lan src 192.168.0.0/255.255.255.0
> acl lan1 src 192.168.1.0/255.255.255.0
> acl lan2 src 192.168.2.0/255.255.255.0
> acl lan3 src 192.168.3.0/255.255.255.0
>
> acl restricted_sites url_regex -i myspace.com
> acl restricted_sites url_regex -i schoolies.com
> acl restricted_sites url_regex -i
> killjeeseday.freewebpage.org/lol.html
> acl restricted_sites url_regex -i earth.google.com
> acl restircted_sites url_regex -i
> kh.google.com/download/earth/index.html
> acl restricted_sites url_regex -i 211.27.149.18/webbook
> acl restricted_sites url_regex -i maps.google.com
> acl restricted_sites url_regex -i runescape.com
> acl restricted_sites url_regex -i runehq.com

You should consider moving these domains into an external file and use

acl restricted_sites url_regex -i "/etc/squid/restricted"

> acl user_passwords proxy_auth REQUIRED
>
> http_access deny !restricted_sites lan
> http_access deny !restricted_sites lan1
> http_access deny !restricted_sites lan2
> http_access deny !restricted_sites lan3

These rules will not be executed because a previous rule matched already.
I would suggest something more like:

acl lan src 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
acl restricted_sites url_regex -i "/etc/squid/restricted"
http_access deny !restricted lan
http_access allow authenticated
http_access deny all

Kindly
 Christoph
Received on Wed May 10 2006 - 04:11:47 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:02 MDT