Re: [squid-users] Blocking Orkut (https problem)

From: Palula Brasil <[email protected]>
Date: Tue, 17 Oct 2006 01:07:38 -0200

Here is the config for my acls:

acl all src 0/0
acl minha_rede src x.x.x.x/24 (My LAN IP's)
acl lan_bloqueada src "/etc/squid/int_blocked_ips.acl"
acl lan_liberada src "/etc/squid/int_permit_ips.acl"
acl bad_strings url_regex -i "/etc/squid/bad_strings.acl"
acl bad_ips dst "/etc/squid/bad_ips.acl"
acl bad_sites dstdomain "/etc/squid/bad_sites.acl"
acl bad_files urlpath_regex "/etc/squid/bad_files.acl"
acl good_strings url_regex -i "/etc/squid/good_strings.acl"
acl good_sites dstdomain "/etc/squid/permitted.acl"
acl unproductive dstdomain "/etc/squid/unproductive.acl"
acl unprod_strings url_regex -i "/etc/squid/unprod_strings.acl"
acl trabalho time MTWHF 12:00-13:30
acl nao_trabalho time SA
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl ssl_ports port 443 563
acl CONNECT method CONNECT

acl safe_ports port 80 # http
acl safe_ports port 21 # ftp
acl safe_ports port 443 # https
acl safe_ports port 563 # snews
acl safe_ports port 70 # gopher
acl safe_ports port 210 # wais
acl safe_ports port 1025-65535 # unregistered ports
acl safe_ports port 280 # http-mgmt
acl safe_ports port 488 # gss-http
acl safe_ports port 591 # filemaker
acl safe_ports port 777 # multiling http

And here is the order of the ACL's

#http_access deny lan_bloqueada
http_access deny bad_sites !good_sites
http_access deny bad_strings !good_strings
http_access deny bad_ips
http_access deny bad_files
#http_access deny trabalho !nao_trabalho unproductive
#http_access deny trabalho !nao_trabalho unprod_strings
http_access deny CONNECT !ssl_ports
http_access allow safe_ports
http_access allow manager localhost
http_access deny manager
http_access allow minha_rede

http_access deny all

The place where I put orkut to be blocked is in the bad_sites acl.
Thank you.

----- Original Message -----
From: "Chris Robertson" <crobertson@gci.net>
To: "Squid" <squid-users@squid-cache.org>
Sent: Monday, October 16, 2006 7:21 PM
Subject: Re: [squid-users] Blocking Orkut (https problem)

Palula Brasil wrote:
> Hi everybody!
>
> I'm having some problems and would like to know if it is possible to block
> Orkut connections using https?
>
> This is what's happening. Orkut is being blocked during the working hours,
> but it can be bypassed using the https procedure. When connecting to
Orkut,
> squid blocks the site. But by changing the URL, http://www.orkut.com to
> https://www.orkut.com, users are being able to access the site.
>
> My question is? Is there a way to block this procedure, If we can block
> connections from either port 80 or port 443 (I think) this problem would
be
> resolved right?
>
> Thank you.
>
>
The order of http_access lines is supremely important, as are the ACLs
being used. To the best of my knowledge, a url_regex won't work on a
HTTPS connection, as the URL being requested is encrypted. Using a
dstdomain ACL would not have this problem.

Chris
Received on Mon Oct 16 2006 - 22:07:46 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST