src ACL not working right in Squid

bslag · 05-08-2008, 05:14 PM

First of all, my apologies for resurrecting a year and a half old topic but it's the only topic I've found through a quick Google search doing exactly what I'm looking for...

Here's the deal,

This works great when just denying the domain ACL - but it is blocked for everyone. When I try to add the client ACL, it no longer works at all.

Here is my exact code

Code:

acl bad_url dstdomain "/etc/squid/bad-sites.squid"
acl bad_kid1 src 192.168.34.82
http_access deny bad_kid1 bad_url

I've also tried it like

Code:

acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com

but the results are the same.

Any help is much appreciated.

Thanks.

win32sux · 05-08-2008, 05:31 PM

Quote:

Originally Posted by bslag

First of all, my apologies for resurrecting a year and a half old topic but it's the only topic I've found through a quick Google search doing exactly what I'm looking for...

What you should do in cases such as this (instead of resurrecting dead threads) is to use a link to reference the thread in question. I've gone ahead and moved your post into a new thread of its own.

Quote:

Here's the deal,

This works great when just denying the domain ACL - but it is blocked for everyone. When I try to add the client ACL, it no longer works at all.

Here is my exact code

Code:

acl bad_url dstdomain "/etc/squid/bad-sites.squid"
acl bad_kid1 src 192.168.34.82
http_access deny bad_kid1 bad_url

I've also tried it like

Code:

acl sucky_urls dstdomain .microsoft.com .sco.com .doubleclick.com

but the results are the same.

Any help is much appreciated.

Thanks.

Try using 192.168.34.82/32 (or 192.168.34.82/255.255.255.255) instead.

bslag · 05-09-2008, 10:54 AM

Thanks, will give the /32 a try here in a bit.

I had tried using /255.255.255.255 already with effect.

And again, apologies for the resurrection.

bslag · 05-09-2008, 01:04 PM

/32 still produces the same result – or the lack there of.

I've made sure that the "http_access deny bad_kid1 bad_url" is before any other http_access, so I'm at a loss.

win32sux · 05-10-2008, 05:04 AM

Quote:

Originally Posted by bslag

/32 still produces the same result – or the lack there of.

I've made sure that the "http_access deny bad_kid1 bad_url" is before any other http_access, so I'm at a loss.

Me too. I mean, your ACLs look fine to me. Are you 100% certain that the client at 192.168.34.82 is using the proxy? Does he get affected when you use only the bad_url ACL? Are you sure you are using the right client IP?

bslag · 05-10-2008, 01:00 PM

Yep, I'm positive it's the right IP – I've been testing it on my machine before I actually send it out to someone else. And it definitely works when I only use the bad_url.