LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 03-05-2012, 01:11 AM   #16
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled

Quote:
Originally Posted by deep27ak View Post

Code:
acl denied_users src (all the IPs)
acl bad_sites dstdomain .facebook.com .hi5.com .orkut.com
http_access deny CONNECT bad_sites
http_access allow denied users

create a file in /etc/squid

#vi badsites.acl
.facebook.com
.yahoo.com

acl badsites url_regex "/etc/squid/badsites.acl"
http_access deny badsites
I'm curious about this, and being fairly new to Squid it would be helpful for me to clear something up in my head. I just can't quite understand how this would just block denied_users to bad_sites and not deny everyone access to bad_sites?

In my head that would be:
Code:
acl denied_users src 172.16.1.50 172.16.1.51
acl badsite dstdomain .facebook.com
http_access deny CONNECT denied_users badsite
http_access allow
But I'm probably getting confused in terms of logic ???

Last edited by leslie_jones; 03-05-2012 at 01:12 AM.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 03-05-2012, 01:17 AM   #17
kanna411988
LQ Newbie
 
Registered: Feb 2012
Posts: 16

Original Poster
Rep: Reputation: Disabled
squid configaration file

Could you please check the squid file below once.if possible modify and send the file back.
Attached Files
File Type: txt sqdfile.txt (156.1 KB, 4 views)
 
Old 03-05-2012, 02:01 AM   #18
kanna411988
LQ Newbie
 
Registered: Feb 2012
Posts: 16

Original Poster
Rep: Reputation: Disabled
can you check the above squid.conf file.SO that if any modification required please done and send to me
 
Old 03-05-2012, 02:20 AM   #19
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,190
Blog Entries: 4

Rep: Reputation: 220Reputation: 220Reputation: 220
Quote:
Originally Posted by leslie_jones View Post
I'm curious about this, and being fairly new to Squid it would be helpful for me to clear something up in my head. I just can't quite understand how this would just block denied_users to bad_sites and not deny everyone access to bad_sites?

In my head that would be:
Code:
acl denied_users src 172.16.1.50 172.16.1.51
acl badsite dstdomain .facebook.com
http_access deny CONNECT denied_users badsite
http_access allow
But I'm probably getting confused in terms of logic ???
As per this configuration 172.16.1.50 172.16.1.51 won't be allowed to access internet at all as you are denying them do so.
Code:
http_access deny CONNECT denied_users badsite
As I personally tested on my centos 6 workstation. How about you give a try
secondly,
Code:
http_access allow
is a wrong syntax...it should be http_access allow all

If you want your settings to work then you need an additional acl

Code:
acl our_network src 172.16.1.50 172.16.1.51
http_access allow our_network
 
2 members found this post helpful.
Old 03-05-2012, 02:24 AM   #20
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,190
Blog Entries: 4

Rep: Reputation: 220Reputation: 220Reputation: 220
Quote:
Originally Posted by kanna411988 View Post
can you check the above squid.conf file.SO that if any modification required please done and send to me
I am sorry I won't be able to do that
I can help you here with troubleshooting but can't do work on your behalf and I believe this will be better for a newbie as well to learn.
Insert the following rules in
Code:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

acl denied_users src 192.168.1.4
acl bad_sites dstdomain .facebook.com .hi5.com .orkut.com
http_access deny CONNECT bad_sites
http_access allow denied_users
Code:
#service squid restart
 
Old 03-05-2012, 02:30 AM   #21
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
Quote:
Originally Posted by deep27ak View Post
As per this configuration 172.16.1.50 172.16.1.51 won't be allowed to access internet at all as you are denying them do so.
Code:
http_access deny CONNECT denied_users badsite
As I personally tested on my centos 6 workstation. How about you give a try
I did, and it didn't work as intended on my Squid 2.7.STABLE - hence why I asked if it was correct. I only wanted to block 172.16.1.50 & 51 from accessing Facebook - not the entire internet. If I wanted that, surely I'd just do:

Code:
acl denied_users src 172.16.1.50 172.16.1.51
http_access deny denied_users
I'd not need to mention any sites or URL's because I'm blocking the client completely from http.


Quote:
Originally Posted by deep27ak View Post
secondly,
Code:
http_access allow
is a wrong syntax...it should be http_access allow all
Cut and paste typo.

Quote:
Originally Posted by deep27ak View Post
If you want your settings to work then you need an additional acl
Code:
acl our_network src 172.16.1.50 172.16.1.51
http_access allow our_network
Really? At the end of my various other ACL stanza's which explicitly knock out or allow sites, clients and restrict access by time I've just got a default allow rule which works for us:
Code:
http_access allow all
But I guess there is more than one way to achieve the same result, and I've probably got a typo or something when I paste in your example at the top of my acl's for testing.

Last edited by leslie_jones; 03-05-2012 at 02:32 AM.
 
Old 03-05-2012, 02:44 AM   #22
kanna411988
LQ Newbie
 
Registered: Feb 2012
Posts: 16

Original Poster
Rep: Reputation: Disabled
i just need the purpose of blocking some ip address from access fb and orkut.In future i have to increase ip address and websites in the configuration.
 
Old 03-05-2012, 03:41 AM   #23
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
Actually deep27ak, the more I dig into this I realise that my ACL's are not doing entirely what I intended as far as Facebook is concerned. I know that squid won't block HTTPS (for obvious reasons), but I seem to be getting unpredictable blocking on the http version by client IP (or mac). Looks like I've got a job to do this morning.

Glad I read your post or I would never have looked into this. Thanks!
 
Old 03-05-2012, 03:58 AM   #24
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,190
Blog Entries: 4

Rep: Reputation: 220Reputation: 220Reputation: 220
Quote:
Originally Posted by leslie_jones View Post
I did, and it didn't work as intended on my Squid 2.7.STABLE - hence why I asked if it was correct. I only wanted to block 172.16.1.50 & 51 from accessing Facebook - not the entire internet. If I wanted that, surely I'd just do:

Code:
acl denied_users src 172.16.1.50 172.16.1.51
http_access deny denied_users
I'd not need to mention any sites or URL's because I'm blocking the client completely from http.
Cut and paste typo.
Really? At the end of my various other ACL stanza's which explicitly knock out or allow sites, clients and restrict access by time I've just got a default allow rule which works for us:
Code:
http_access allow all
But I guess there is more than one way to achieve the same result, and I've probably got a typo or something when I paste in your example at the top of my acl's for testing.
Initially any how you will have to specify the range of networks in which you want your squid to be working and apart from that if you want individual authentication as per the IP then you will have to specify them

Follow this link for further help
http://www.linuxquestions.org/questi...squid3-917382/

and if you want to block https traffic have a look at this
http://www.rahulpahade.com/content/s...over-ssl-https
 
Old 03-05-2012, 03:59 AM   #25
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
Confirmed this working on my Squid

Code:
acl BAD_CLIENTS src 172.16.1.57
acl BAD_SITES dstdomain .facebook.com
http_access deny BAD_CLIENTS BAD_SITES
One little gotcha - the period . before .facebook.com. I knew it meant 'match subdomain' but I overlooked that 'www' is a subdomain effectively, so to match www.facebook.com, the . period is needed. Where a user tries to circumvent this with http://facebook.com a second rule is needed, so it is best dealt with using lists:

using external lists
Code:
# RESTRICT SITES TO CLIENTS IN EXTERNAL LISTS
acl BAD_CLIENTS src "/etc/squid/bad_clients"
acl BAD_SITES dstdomain src "/etc/squid/bad_sites"
http_access deny BAD_CLIENTS BAD_SITES
/etc/squid/bad_clients
Code:
172.16.1.10
172.16.1.11
/etc/squid/bad_sites
Code:
.facebook.com
facebook.com
That is confirmed working on my SQUID Version 2.7.STABLE7. I know there are some syntax difference in V3. By any chance is Cent6 using V3?
 
1 members found this post helpful.
Old 03-05-2012, 04:16 AM   #26
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,190
Blog Entries: 4

Rep: Reputation: 220Reputation: 220Reputation: 220
Quote:
Originally Posted by kanna411988 View Post
i just need the purpose of blocking some ip address from access fb and orkut.In future i have to increase ip address and websites in the configuration.
I think you got your answer in reply #25 from leslie_jones
 
Old 03-05-2012, 04:48 AM   #27
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,190
Blog Entries: 4

Rep: Reputation: 220Reputation: 220Reputation: 220
Quote:
Originally Posted by leslie_jones View Post
That is confirmed working on my SQUID Version 2.7.STABLE7. I know there are some syntax difference in V3. By any chance is Cent6 using V3?
Yes in centos 6 also squid 3 is used
Code:
# rpm -qa | grep squid
squid-3.1.10-1.el6_2.2.i686
I am not very sure about this one
Code:
acl BAD_CLIENTS src 172.16.1.57
acl BAD_SITES dstdomain .facebook.com
http_access deny BAD_CLIENTS BAD_SITES
Here you are denying 172.16.1.57 from being accessed to internet using squid. So are you sure this IP is able to access other sites?
 
Old 03-05-2012, 05:12 AM   #28
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
Quote:
Originally Posted by deep27ak View Post
I am not very sure about this one
Code:
acl BAD_CLIENTS src 172.16.1.57
acl BAD_SITES dstdomain .facebook.com
http_access deny BAD_CLIENTS BAD_SITES
Here you are denying 172.16.1.57 from being accessed to internet using squid. So are you sure this IP is able to access other sites?
Yes. It blocks www.facebook.com to 172.16.1.57, but the client can access any other site.

EDIT: but I can't tell you what it will do in SQUID 3 - that is a law unto itself!

Last edited by leslie_jones; 03-05-2012 at 05:13 AM.
 
  


Reply

Tags
proxy, squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Facebook Etiquette floppywhopper General 1 09-28-2011 08:46 AM
Socialbox for Facebook jdtiede Linux - Software 1 06-11-2011 01:44 PM
Facebook and Twitter online-pharmacy General 21 12-12-2009 09:30 AM
How to block facebook?.. Winanjaya Linux - Security 3 11-30-2009 10:04 AM
LQ Facebook page gymnart LQ Suggestions & Feedback 8 07-29-2009 01:56 PM


All times are GMT -5. The time now is 02:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration