[SOLVED] how to deny block https sites for some users

Winanjaya · 11-19-2009, 11:03 PM

in squid, how to block some https sites for some users?

ie. I want to deny https://www.google.com and https://www.xyz.com
for 192.168.1.6-16

please help

thanks & regards

GlennsPref · 11-20-2009, 12:51 AM

Hi, I also use squid.

ref. Restricting Access to specific Web sites

Quote:

Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.

# Add this to the bottom of the ACL section of squid.conf
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites

these addresses to the files need to be logical, and kept in a non-user space.

If you don't want to restrict the times, leave out that line...
eg. "acl business_hours time M T W H F 9:00-17:00"

These files may contain....another example from linuxhomenetworking

Quote:

# File: /usr/local/etc/allowed-sites.squid
www.openfree.org
linuxhomenetworking.com

# File: /usr/local/etc/restricted-sites.squid
www.porn.com
illegal.com

also see...www.linuxhomenetworking.com/wiki and
http://www.visolve.com/squid/squid30/contents.php

for a range of addresses, try this synopsis instead of the example...

Quote:

addr1-addr2/netmask

Like this, change...

Code:

acl home_network src 192.168.1.0/24 to...
acl home_network src 192.168.1.6-192.168.1.16/24

ref. http://www.visolve.com/squid/squid30...ntrols.php#acl

Read these sites for more info.

Hope this helps you, cheers Glenn

win32sux · 11-20-2009, 03:27 AM

Quote:

Originally Posted by Winanjaya

in squid, how to block some https sites for some users?

ie. I want to deny https://www.google.com and https://www.xyz.com
for 192.168.1.6-16

please help

thanks & regards

Have you searched LQ for previous threads about this issue? I know for a fact that there are several, because I have participated in some. In any case, what you want could be done like this:

Code:

acl clients src 192.168.1.6-192.168.1.16
acl https_sites dstdomain .www.google.com
acl https_sites dstdomain .www.xyz.com
acl CONNECT method CONNECT

http_access deny clients https_sites
http_access allow clients
http_access deny all

Keep in mind that you're matching by subdomain. If you want to block HTTPS for the entire domains do:

Code:

acl clients src 192.168.1.6-192.168.1.16
acl https_sites dstdomain .google.com
acl https_sites dstdomain .xyz.com
acl CONNECT method CONNECT

http_access deny clients https_sites CONNECT
http_access allow clients
http_access deny all

Winanjaya · 11-20-2009, 04:19 AM

but how to put the https site list into file?

win32sux · 11-20-2009, 06:08 AM

Quote:

Originally Posted by Winanjaya

but how to put the https site list into file?

Just stick them in a text file and specify it like:

Code:

acl clients src 192.168.1.6-192.168.1.16
acl https_sites dstdomain "/etc/squid/example.txt"
acl CONNECT method CONNECT

http_access deny clients https_sites CONNECT
http_access allow clients
http_access deny all

Winanjaya · 11-30-2009, 10:52 PM

I tried below .. but sometimes it doesnot work for some sites (such as https://facebook.com .. etc)

I have /etc/squid/src/freehttps

allowedhttps.domain1.com
allowedhttps.domain2.com

..

in squid.conf

acl clients src 192.168.1.0/24
acl freehttps url_regex -i "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps
htto_access allow clients
http_access deny all

I still able to visit https://www.facebook.com

what I missed?

win32sux · 11-30-2009, 11:17 PM

Quote:

Originally Posted by Winanjaya

I tried below .. but sometimes it doesnot work for some sites (such as https://facebook.com .. etc)

I have /etc/squid/src/freehttps

allowedhttps.domain1.com
allowedhttps.domain2.com

..

in squid.conf

acl clients src 192.168.1.0/24
acl freehttps url_regex -i "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps
htto_access allow clients
http_access deny all

I still able to visit https://www.facebook.com

what I missed?

Why are you using URL regular expressions? That wasn't suggested anywhere on this thread. Also, the second http_access (which is presumably spelled properly in your actual squid.conf) would give total access to all clients in 192.168.1.0/24, which makes the first http_access pointless.

Winanjaya · 11-30-2009, 11:24 PM

Although I changed it to

acl clients src 192.168.1.0/24
acl freehttps dstdomain "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps
htto_access allow clients
http_access deny all

I still able to visit https://www.facebook.com

in "/etc/squid/src/freehttps" contains:

domain1.com
domain2.com

Winanjaya · 11-30-2009, 11:25 PM

and by the way .. I am running transparent proxy.. any comment?

Winanjaya · 11-30-2009, 11:35 PM

and in /var/log/squid/access.. I found the following..:

1954 POST http://204.11.16.115:80/toolbar/activate.php - NONE/- text/html

I dont know how to block such address?

win32sux · 11-30-2009, 11:36 PM

Quote:

Originally Posted by Winanjaya

Although I changed it to

acl clients src 192.168.1.0/24
acl freehttps dstdomain "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps
htto_access allow clients
http_access deny all

I still able to visit https://www.facebook.com

If I'm properly understanding what you want, this should look like this instead:

Code:

acl clients src 192.168.1.0/24
acl freehttps dstdomain "/etc/squid/src/freehttps"
acl CONNECT method CONNECT

http_access allow CONNECT freehttps clients
http_access deny CONNECT clients
http_access allow clients
http_access deny all

Quote:

in "/etc/squid/src/freehttps" contains:

domain1.com
domain2.com

You need a dot before each of those domains, like:

Code:

.domain1.com
.domain2.com

Quote:

Originally Posted by Winanjaya

and by the way .. I am running transparent proxy.. any comment?

It doesn't really matter in this case, as AFAICT your problem is bad ACLs, not interception.