| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
|
03-05-2012, 12:11 AM
|
#16
|
|
Member
Registered: Sep 2011
Posts: 130
Rep: 
|
Quote:
Originally Posted by deep27ak
Code:
acl denied_users src (all the IPs)
acl bad_sites dstdomain .facebook.com .hi5.com .orkut.com
http_access deny CONNECT bad_sites
http_access allow denied users
create a file in /etc/squid
#vi badsites.acl
.facebook.com
.yahoo.com
acl badsites url_regex "/etc/squid/badsites.acl"
http_access deny badsites
|
I'm curious about this, and being fairly new to Squid it would be helpful for me to clear something up in my head. I just can't quite understand how this would just block denied_users to bad_sites and not deny everyone access to bad_sites?
In my head that would be:
Code:
acl denied_users src 172.16.1.50 172.16.1.51
acl badsite dstdomain .facebook.com
http_access deny CONNECT denied_users badsite
http_access allow
But I'm probably getting confused in terms of logic ???
Last edited by leslie_jones; 03-05-2012 at 12:12 AM.
|
|
|
|
|
Click here to see the post LQ members have rated as the most helpful post in this thread.
|
|
03-05-2012, 12:17 AM
|
#17
|
|
LQ Newbie
Registered: Feb 2012
Posts: 14
Original Poster
Rep:
|
squid configaration file
Could you please check the squid file below once.if possible modify and send the file back.
|
|
|
|
|
03-05-2012, 01:01 AM
|
#18
|
|
LQ Newbie
Registered: Feb 2012
Posts: 14
Original Poster
Rep:
|
can you check the above squid.conf file.SO that if any modification required please done and send to me
|
|
|
|
|
03-05-2012, 01:20 AM
|
#19
|
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,163
|
Quote:
Originally Posted by leslie_jones
I'm curious about this, and being fairly new to Squid it would be helpful for me to clear something up in my head. I just can't quite understand how this would just block denied_users to bad_sites and not deny everyone access to bad_sites?
In my head that would be:
Code:
acl denied_users src 172.16.1.50 172.16.1.51
acl badsite dstdomain .facebook.com
http_access deny CONNECT denied_users badsite
http_access allow
But I'm probably getting confused in terms of logic ??? |
As per this configuration 172.16.1.50 172.16.1.51 won't be allowed to access internet at all as you are denying them do so.
Code:
http_access deny CONNECT denied_users badsite
As I personally tested on my centos 6 workstation. How about you give a try 
secondly,
is a wrong syntax...it should be http_access allow all
If you want your settings to work then you need an additional acl
Code:
acl our_network src 172.16.1.50 172.16.1.51
http_access allow our_network
|
|
|
2 members found this post helpful.
|
|
03-05-2012, 01:24 AM
|
#20
|
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,163
|
Quote:
Originally Posted by kanna411988
can you check the above squid.conf file.SO that if any modification required please done and send to me
|
I am sorry I won't be able to do that
I can help you here with troubleshooting but can't do work on your behalf and I believe this will be better for a newbie as well to learn.
Insert the following rules in
Code:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl denied_users src 192.168.1.4
acl bad_sites dstdomain .facebook.com .hi5.com .orkut.com
http_access deny CONNECT bad_sites
http_access allow denied_users
Code:
#service squid restart
|
|
|
|
|
03-05-2012, 01:30 AM
|
#21
|
|
Member
Registered: Sep 2011
Posts: 130
Rep:
|
Quote:
Originally Posted by deep27ak
As per this configuration 172.16.1.50 172.16.1.51 won't be allowed to access internet at all as you are denying them do so.
Code:
http_access deny CONNECT denied_users badsite
As I personally tested on my centos 6 workstation. How about you give a try |
I did, and it didn't work as intended on my Squid 2.7.STABLE - hence why I asked if it was correct. I only wanted to block 172.16.1.50 & 51 from accessing Facebook - not the entire internet. If I wanted that, surely I'd just do:
Code:
acl denied_users src 172.16.1.50 172.16.1.51
http_access deny denied_users
I'd not need to mention any sites or URL's because I'm blocking the client completely from http.
Quote:
Originally Posted by deep27ak
secondly,
is a wrong syntax...it should be http_access allow all |
Cut and paste typo.
Quote:
Originally Posted by deep27ak
If you want your settings to work then you need an additional acl
Code:
acl our_network src 172.16.1.50 172.16.1.51
http_access allow our_network
|
Really? At the end of my various other ACL stanza's which explicitly knock out or allow sites, clients and restrict access by time I've just got a default allow rule which works for us:
Code:
http_access allow all
But I guess there is more than one way to achieve the same result, and I've probably got a typo or something when I paste in your example at the top of my acl's for testing.
Last edited by leslie_jones; 03-05-2012 at 01:32 AM.
|
|
|
|
|
03-05-2012, 01:44 AM
|
#22
|
|
LQ Newbie
Registered: Feb 2012
Posts: 14
Original Poster
Rep:
|
i just need the purpose of blocking some ip address from access fb and orkut.In future i have to increase ip address and websites in the configuration.
|
|
|
|
|
03-05-2012, 02:41 AM
|
#23
|
|
Member
Registered: Sep 2011
Posts: 130
Rep:
|
Actually deep27ak, the more I dig into this I realise that my ACL's are not doing entirely what I intended as far as Facebook is concerned. I know that squid won't block HTTPS (for obvious reasons), but I seem to be getting unpredictable blocking on the http version by client IP (or mac). Looks like I've got a job to do this morning.
Glad I read your post or I would never have looked into this. Thanks!
|
|
|
|
|
03-05-2012, 02:58 AM
|
#24
|
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,163
|
Quote:
Originally Posted by leslie_jones
I did, and it didn't work as intended on my Squid 2.7.STABLE - hence why I asked if it was correct. I only wanted to block 172.16.1.50 & 51 from accessing Facebook - not the entire internet. If I wanted that, surely I'd just do:
Code:
acl denied_users src 172.16.1.50 172.16.1.51
http_access deny denied_users
I'd not need to mention any sites or URL's because I'm blocking the client completely from http.
Cut and paste typo.
Really? At the end of my various other ACL stanza's which explicitly knock out or allow sites, clients and restrict access by time I've just got a default allow rule which works for us:
Code:
http_access allow all
But I guess there is more than one way to achieve the same result, and I've probably got a typo or something when I paste in your example at the top of my acl's for testing. |
Initially any how you will have to specify the range of networks in which you want your squid to be working and apart from that if you want individual authentication as per the IP then you will have to specify them
Follow this link for further help
http://www.linuxquestions.org/questi...squid3-917382/
and if you want to block https traffic have a look at this
http://www.rahulpahade.com/content/s...over-ssl-https |
|
|
|
|
03-05-2012, 02:59 AM
|
#25
|
|
Member
Registered: Sep 2011
Posts: 130
Rep:
|
Confirmed this working on my Squid
Code:
acl BAD_CLIENTS src 172.16.1.57
acl BAD_SITES dstdomain .facebook.com
http_access deny BAD_CLIENTS BAD_SITES
One little gotcha - the period . before .facebook.com. I knew it meant 'match subdomain' but I overlooked that 'www' is a subdomain effectively, so to match www.facebook.com, the . period is needed. Where a user tries to circumvent this with http://facebook.com a second rule is needed, so it is best dealt with using lists:
using external lists
Code:
# RESTRICT SITES TO CLIENTS IN EXTERNAL LISTS
acl BAD_CLIENTS src "/etc/squid/bad_clients"
acl BAD_SITES dstdomain src "/etc/squid/bad_sites"
http_access deny BAD_CLIENTS BAD_SITES
/etc/squid/bad_clients
Code:
172.16.1.10
172.16.1.11
/etc/squid/bad_sites
Code:
.facebook.com
facebook.com
That is confirmed working on my SQUID Version 2.7.STABLE7. I know there are some syntax difference in V3. By any chance is Cent6 using V3? |
|
|
1 members found this post helpful.
|
|
03-05-2012, 03:16 AM
|
#26
|
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,163
|
Quote:
Originally Posted by kanna411988
i just need the purpose of blocking some ip address from access fb and orkut.In future i have to increase ip address and websites in the configuration.
|
I think you got your answer in reply #25 from leslie_jones |
|
|
|
|
03-05-2012, 03:48 AM
|
#27
|
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,163
|
Quote:
Originally Posted by leslie_jones
That is confirmed working on my SQUID Version 2.7.STABLE7. I know there are some syntax difference in V3. By any chance is Cent6 using V3?
|
Yes in centos 6 also squid 3 is used
Code:
# rpm -qa | grep squid
squid-3.1.10-1.el6_2.2.i686
I am not very sure about this one
Code:
acl BAD_CLIENTS src 172.16.1.57
acl BAD_SITES dstdomain .facebook.com
http_access deny BAD_CLIENTS BAD_SITES
Here you are denying 172.16.1.57 from being accessed to internet using squid. So are you sure this IP is able to access other sites? |
|
|
|
|
03-05-2012, 04:12 AM
|
#28
|
|
Member
Registered: Sep 2011
Posts: 130
Rep:
|
Quote:
Originally Posted by deep27ak
I am not very sure about this one
Code:
acl BAD_CLIENTS src 172.16.1.57
acl BAD_SITES dstdomain .facebook.com
http_access deny BAD_CLIENTS BAD_SITES
Here you are denying 172.16.1.57 from being accessed to internet using squid. So are you sure this IP is able to access other sites? |
Yes. It blocks www.facebook.com to 172.16.1.57, but the client can access any other site.
EDIT: but I can't tell you what it will do in SQUID 3 - that is a law unto itself!
Last edited by leslie_jones; 03-05-2012 at 04:13 AM.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 08:04 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
