LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Squid configuration problems - 3.1.4 (http://www.linuxquestions.org/questions/linux-server-73/squid-configuration-problems-3-1-4-a-936560/)

hknoener 03-26-2012 04:52 PM

Squid configuration problems - 3.1.4
 
I'm using squid 3.1.4 here with CentOS 6.

I've adapted a configuration that I found in the internet. It was working, with some warnings every time I've started Squid, but working.

Now some of my blocks are not working well. The users are able to access the internet when they are not suppose to, or some websites that are also blocked. Some sites are being blocked, some not.

I've noticed as well that Squid's clock is different from the time that I have issuing "clock". 12 hours difference. Is that possible?

I'll post here my squid.conf file and the warnings that I receive to see what stupidity I've been doing.

Code:


http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
dns_timeout 10 seconds
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/32
# DISABLED - acl home_network src 192.168.1.0/24
# DISABLED - acl badsites dstdomain -i "/etc/squid/badsites.squid"
acl badsites urlpath_regex -i "/etc/squid/badsites.squid"
acl blockregexurl url_regex -i "/etc/squid/badnames.squid"
# DISABLED - acl office2 urlpath_regex -i "/etc/squid/officehours.squid"
acl office url_regex -i "/etc/squid/officehours.squid"
acl labs_block url_regex -i "/etc/squid/labs_block.squid"
acl down_block urlpath_regex -i "/etc/squid/blockdownloads.squid"
acl p2p_block url_regex -i "/etc/squid/blockdownloads.squid"
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl usage_hours time M T W H F A S 7:00-22:00
acl office_time time M T W H 7:45-17:00
acl office_friday time F 7:45-14:00
acl hslab src 192.168.1.120-192.168.1.139
# acl eslab src 192.168.1.140-192.168.1.170/32
# acl free src 192.168.1.1-192.168.1.7
acl labs src 192.168.1.120-192.168.1.170
acl lab_hours time M T W H 8:00-15:00
acl lab_friday time F 8:00-12:00
# http_access deny office_time office
# http_access deny office_time_friday office
# http_access deny office_time office2
# http_access deny office_time_friday office2
# http_access deny usage_hours p2p_block
# http_access deny hslab lab_hours
# http_access deny hslab lab_hours_friday
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny badsites
http_access deny blockregexurl
http_access deny labs labs_block
http_access deny usage_hours down_block
http_access deny usage_hours p2p_block
http_access deny office office_time
http_access deny office office_friday
http_access deny labs lab_hours
http_access deny labs lab_friday
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl lan src 192.168.1.0/255.255.255.0
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname sda.sdasystem.com
always_direct allow all
coredump_dir /var/spool/squid

All the time that I issue a "squid -k reconfigure" I receive the following Warnings
Code:


2012/03/27 21:35:00| WARNING: (B) '::/0' is a subnetwork of (A) '::/0'
2012/03/27 21:35:00| WARNING: because of this '::/0' is ignored to keep splay tree searching predictable
2012/03/27 21:35:00| WARNING: You should probably remove '::/0' from the ACL named 'all'
2012/03/27 21:35:00| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2012/03/27 21:35:00| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2012/03/27 21:35:00| WARNING: For now we will assume you meant to write /32
2012/03/27 21:35:00| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2012/03/27 21:35:00| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2012/03/27 21:35:00| WARNING: For now we will assume you meant to write /24

Working ACLs (as far as I've noticed here):

acl badsites urlpath_regex -i "/etc/squid/badsites.squid"
acl blockregexurl url_regex -i "/etc/squid/badnames.squid"
acl down_block urlpath_regex -i "/etc/squid/blockdownloads.squid"

Thanks in advance for any help.


All times are GMT -5. The time now is 06:27 AM.