Ubuntu 8.04: Transparent proxy using squid working but block domain not working

bleketux · 08-06-2008, 06:55 AM

I have successfully set my transparent proxy using squid and one nic. I also set to block some domain using dstdomain but my client still able to access blocked domain. I wonder why... Here is my squid.conf

Quote:

# OPTIONS FOR AUTHENTICATION
# Recommended minimum configuration for basic scheme
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# ACCESS CONTROLS
##Blocked Domain/Word
acl blockeddomain dstdomain -i "/etc/squid/domainblock.txt"
acl blockedword url_regex -i "/etc/squid/wordblock.txt"

acl download url_regex -i ftp \.exe$ \.mp3$ \.mp4$ \.tar.gz$ \.gz$ \.tar.bz2$ \.rpm$ \.zip$ \.rar$
acl download url_regex -i \.avi$ \.mpg$ \.mpeg$ \.rm$ \.iso$ \.wav$ \.mov$ \.dat$ \.mpe$ \.mid$
acl download url_regex -i \.midi$ \.rmi$ \.wma$ \.wmv$ \.ogg$ \.ogm$ \.m1v$ \.mp2$ \.mpa$ \.wax$
acl download url_regex -i \.m3u$ \.asx$ \.wpl$ \.wmx$ \.dvr-ms$ \.snd$ \.au$ \.aif$ \.asf$ \.m2v$
acl download url_regex -i \.m2p$ \.ts$ \.tp$ \.trp$ \.div$ \.divx$ \.mod$ \.vob$ \.aob$ \.dts$
acl download url_regex -i \.ac3$ \.cda$ \.vro$ \.deb$

## Recommended minimum configuration
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

acl myintranet src 192.168.1.0/24
http_access allow myintranet

http_access deny blockeddomain
http_access deny blockedword

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

http_reply_access allow all
icp_access allow all
miss_access allow all

# NETWORK OPTIONS
http_port 3128 transparent

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
hierarchy_stoplist cgi-bin ?

# MEMORY CACHE OPTIONS
cache_mem 64 MB
maximum_object_size_in_memory 4096 KB
memory_replacement_policy lru

# DISK CACHE OPTIONS
cache_replacement_policy lru
cache_dir ufs /var/spool/squid 15000 16 256
minimum_object_size 0 KB
maximum_object_size 20480 KB
cache_swap_low 90
cache_swap_high 95

# LOGFILE OPTIONS
access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 10
log_ip_on_direct on
debug_options ALL,1
client_netmask 255.255.255.255
buffered_logs off

# OPTIONS FOR FTP GATEWAYING
ftp_user Squid@
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on

# OPTIONS FOR TUNING THE CACHE
## We recommend you to use the following two lines.
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 5 minutes

# HTTP OPTIONS
ie_refresh on

# TIMEOUTS
connect_timeout 1 minutes
read_timeout 15 minutes
request_timeout 5 minutes
persistent_request_timeout 1 minutes
client_lifetime 5 day
pconn_timeout 120 seconds
shutdown_lifetime 30 seconds

# ADMINISTRATIVE PARAMETERS
cache_mgr myserver
visible_hostname myserver

# DELAY POOL PARAMETERS
delay_pools 1
delay_class 1 1
delay_access 1 allow download
delay_access 1 deny all
delay_parameters 1 1000/16000

# SNMP OPTIONS
snmp_port 3401
snmp_access allow localhost
snmp_access deny all

# ICP OPTIONS
icp_port 3130
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255

# DNS OPTIONS
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024

# MISCELANEOUS
coredump_dir /var/spool/squid

The content of /etc/squid/domainblock.txt is

Quote:

www.something.com
www.badsite.com
...
etc dot com

Is there something wrong with the configuration ?
Please help me...

predatorz · 08-07-2008, 04:18 AM

Just my 2cents.

The config looks okay to me.

Did you hit the full url as specified in the blockeddomain.txt when testing to see if squid blocks? Is it blocked when you access the blocked domains as specified in the txt file?

I think it is better to put .example.com in the txt file, it should block all subdomain of example.com as well.

bleketux · 08-07-2008, 08:01 PM

Quote:

Originally Posted by predatorz

Did you hit the full url as specified in the blockeddomain.txt when testing to see if squid blocks? Is it blocked when you access the blocked domains as specified in the txt file?

Yes, I have try testing it...

Quote:

Originally Posted by predatorz

I think it is better to put .example.com in the txt file, it should block all subdomain of example.com as well.

Yes, I also already put domain... such as .google.com but I still can access google.

Is it because the my network structure ? I have the following structure :

Client PC --> Hub A --> Modem A --> Internet
Squid PC ---/

Client PC (192.168.1.3) and Squid PC (192.168.1.2) connect to a Switch/Hub, the switch/hub connect to the Modem/Router (192.168.1.1) than connect to the internet.

The client PC Gateway goes to Squid PC IP.
The Squid PC Gateway goes to Modem/Router IP.

predatorz · 08-07-2008, 11:19 PM

Did you forward all http traffic to Squid server port 3128?

http://www.cyberciti.biz/tips/linux-...uid-howto.html

bleketux · 08-08-2008, 04:43 AM

Yes... But still the blocking is not working...
I did this :

Code:

$ sudo iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3128

predatorz · 08-08-2008, 10:49 PM

Quote:

Originally Posted by bleketux

Yes... But still the blocking is not working...
I did this :

Code:

$ sudo iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3128

Your iptables is on the Squid Server?
Firstly, let's not use transparent proxy first, have the client PC web broswer settings to point to the Squid PC first. Try to access the Internet on client PC and check the logs on the squid pc, to see if the proxy is working first.

bleketux · 08-11-2008, 02:11 AM

Quote:

Originally Posted by predatorz

Your iptables is on the Squid Server?

Yes, the iptables is on the squid server...
But... Seem I found the problem.
I didn't know that iptables rules are temporary... I restarted the server and it didn't work, but after I rerun the iptables again, than the blocking is work...
Than case is closed

Sorry to confuse you...
Another question...
Is it possible to redirect the error page ? I don't want my client PC to see plain text access denied page... I want to show something more nice

linuxlover.chaitanya · 08-11-2008, 02:25 AM

Yeah it is possible to show the customized error page. You will need to change the page /etc/squid/errors/ERR_ACCESS_DENIED page to something that you need. Or create the new page and insert it in squid configuration file.

bleketux · 08-11-2008, 11:16 PM

Quote:

Originally Posted by linuxlover.chaitanya

Yeah it is possible to show the customized error page. You will need to change the page /etc/squid/errors/ERR_ACCESS_DENIED page to something that you need. Or create the new page and insert it in squid configuration file.

Thanks...
I'll use squidGuard...
Everything's now working as expected.

Problem Solved.
Thread Closed.

altavoltagem · 03-16-2009, 05:58 AM

Hi,

I am going to implement squid on my Ubuntu 8.10 with only on nic.
Please tell me something, On your architecture, could your client PCs connect to Internet directly, ignoring the proxy ?

My network is something like this :

Various PCs ... 192.168.10.2,192.168.10.3,192.168.10.4...
Router DI-624 (Gateway) ... 192.168.10.1

Now I would like to configure squid and every traffic to internet will be grabbed on my proxy. I would like to analyse some http stats, I read that awstats it's good.

Sorry for this rookie questions ... ;-)

Thanks in advance

Quote:

Originally Posted by bleketux

Yes,
I have try testing it...

Yes, I also already put domain... such as .google.com but I still can access google.

Is it because the my network structure ? I have the following structure :

Client PC --> Hub A --> Modem A --> Internet
Squid PC ---/

Client PC (192.168.1.3) and Squid PC (192.168.1.2) connect to a Switch/Hub, the switch/hub connect to the Modem/Router (192.168.1.1) than connect to the internet.

The client PC Gateway goes to Squid PC IP.
The Squid PC Gateway goes to Modem/Router IP.

linuxlover.chaitanya · 03-16-2009, 06:41 AM

Your question does not seem to be very clear. Also it does not seem to be related to what OP was facing. Do not hijack the thread. Instead start your own in viable forum with neat subject to get max help.