-   Linux - Server (
-   -   squid 2.6 not blocking sites even i entered ACL to block sites (

mohantorvalds 01-08-2009 04:06 AM

squid 2.6 not blocking sites even i entered ACL to block sites

I configured proxy initially without blocking any sites....den i planned to block some site...i create some acl as below...but even i cont block the site...but my clients are connect net through my proxy only...

"I'm using squid 2.6 stable version in fedora 8"
#Squid normally listens to port 3128


#Recommended minimum configuration

acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_ports


# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
631,12 13%

acl our_networks src #This is my network ip#
http_access allow our_networks

acl badsites dstdomain

acl restricted-sites dstdomain "/usr/local/etc/restricted-sites" # Restricted files present in this location #

acl adult_sites url_regex -i sex adult hack crack casino gambl nude desibaba
acl download_sites dstdomain "/usr/local/etc/download-sites"
acl adult_sites url_regex -i "/usr/local/etc/restricted-domains"
acl denyfiletypes url_regex -i .mp3$ .mpg$ .mpeg$ .mp2$ .avi$ .wmv$ .wma$ .ra$ .rm$ .mid$ .mov$ .asf$ .wav$ .dat$ .qt$ .snd$ .wm$ .asx$ .aiff$ .ogg$ .ram$ .au$ .exe$
acl block dstdomain .xxx*.com .sex*.com .*
# TAG: http_access
# Allowing or Denying access based on defined access lists
# And finally deny all other access to this proxy

http_access allow localhost
http_access deny badsites

http_access deny adult_sites

http_access deny download_sites
http_access deny denyfiletypes
http_access deny block
http_access deny restricted-sites

# And finally deny all other access to this proxy

http_access deny all
561,27-33 12%


#Iptables configuration#

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128


here "eth0" has ip ----> Lan ---> squid prxy configure in this ip only...

and "eth1" has static ip ----> Internet

Plz any one help to block sites...

acid_kewpie 01-08-2009 04:17 AM

the allow for our_networks will override everything below it. move it to the bottom above the deny all

All times are GMT -5. The time now is 02:35 AM.