IPtables - Dansguardian - Squid & Gmail Please help...

Greetings. I am trying to prevent my users from getting to mail.google.com (Gmail). I use Google Apps for my domain so I want them to be able to access mail.google.com/a/mydomain.net.

I have IPTables set to transparently proxy all port 80 traffic. I also have it set to allow all traffic from lo and finally block all port 443 traffic.

If a user wants to get to port 443, they must point to my filter (Dansguardian on port 8080).

I added mail.google.com to my bannedsitelist and added mail.google.com/a/mydomain.net to exceptionurllist. When my users try to go to the later, they are banned.

I then tried to add mail.google.com and mail.google.com/mail to bannedurllist. When users tried to go to either of them they were blocked unless they used https.

Should I be using squid to block these? If so, an example would be terrific.

Thanks in advance for your assistance.

Mike

Quote:

Originally Posted by knichel Greetings. I am trying to prevent my users from getting to mail.google.com (Gmail). I use Google Apps for my domain so I want them to be able to access mail.google.com/a/mydomain.net. I have IPTables set to transparently proxy all port 80 traffic. I also have it set to allow all traffic from lo and finally block all port 443 traffic. If a user wants to get to port 443, they must point to my filter (Dansguardian on port 8080). I added mail.google.com to my bannedsitelist and added mail.google.com/a/mydomain.net to exceptionurllist. When my users try to go to the later, they are banned. I then tried to add mail.google.com and mail.google.com/mail to bannedurllist. When users tried to go to either of them they were blocked unless they used https. Should I be using squid to block these? If so, an example would be terrific. Thanks in advance for your assistance. Mike

An example of doing this in Squid might be:

Code:

acl google_apps_http url_regex -i ^http://mail.google.com/a/mydomain.net
acl google_apps_https url_regex -i ^https://mail.google.com/a/mydomain.net
acl gmail dstdomain .mail.google.com
http_access allow google_apps_https
http_access allow google_apps_http
http_access deny gmail

But I'm not sure it would work in real life.

Try it, and tell us what the log file says if it doesn't work.

EDIT: Please note that since Squid doesn't see an HTTPS URL (only the domain and port), one can't do regular expression matching on it. Therefore, the relevant line above is incorrect.

Thanks. I tried your sugestion, but it did not work. I can still get to https://mail.google.com

Mike

PS Log file has this in it if it helps...
1234456490.410 79 127.0.0.1 TCP_MISS/200 607 GET http://mail.google.com/ - DIRECT/74.125.45.18 text/html
1234456503.915 10134 127.0.0.1 TCP_MISS/200 6028 CONNECT www.google.com:443 - DIRECT/74.125.45.147 -

Quote:

Originally Posted by knichel Thanks. I tried your sugestion, but it did not work. I can still get to https://mail.google.com Mike PS Log file has this in it if it helps... 1234456490.410 79 127.0.0.1 TCP_MISS/200 607 GET http://mail.google.com/ - DIRECT/74.125.45.18 text/html 1234456503.915 10134 127.0.0.1 TCP_MISS/200 6028 CONNECT www.google.com:443 - DIRECT/74.125.45.147 -

That's weird. Looks like mail.google.com is being allowed even though there is an ACL explicitly disallowing it. Could you post your entire squid.conf please? Use a command like this to strip the comments and empty lines:

Code:

cat /etc/squid/squid.conf | grep -v ^# | grep -v ^$

To test whether the problem is being caused by the url_regex ACLs, try with only this chunk:

Code:

acl gmail dstdomain .mail.google.com
http_access deny gmail

BTW, Make sure you do this after making any changes to the squid.conf file:

Code:

squid -k reconfigure

Ok, here is my current squid3 config file...

Code:

http_port 127.0.0.1:3128
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl allowQ3 url_regex -i q3ait.org
acl google_apps_http url_regex -i ^http://mail.google.com/a/q3ait.org
acl google_apps_https url_regex -i ^https://mail.google.com/a/q3ait.org
acl block_google_mail_https url_regex -i ^https://mail.google.com
acl gmail dstdomain .mail.google.com
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow allowQ3
http_access allow google_apps_https
http_access allow google_apps_http
http_access deny block_google_mail_https
http_access deny gmail
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_nets src 192.168.6.0/24
http_access allow our_nets
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid3

I have tried many things... Crazy that over 4000 lines of code for this few lines of actual config... Comments help I guess...

Thanks for the help.

Mike

Quote:

Originally Posted by knichel Ok, here is my current squid3 config file... Code: http_port 127.0.0.1:3128 icp_port 3130 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl allowQ3 url_regex -i q3ait.org acl google_apps_http url_regex -i ^http://mail.google.com/a/q3ait.org acl google_apps_https url_regex -i ^https://mail.google.com/a/q3ait.org acl block_google_mail_https url_regex -i ^https://mail.google.com acl gmail dstdomain .mail.google.com acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow allowQ3 http_access allow google_apps_https http_access allow google_apps_http http_access deny block_google_mail_https http_access deny gmail http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_nets src 192.168.6.0/24 http_access allow our_nets http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid3 I have tried many things... Crazy that over 4000 lines of code for this few lines of actual config... Comments help I guess... Thanks for the help. Mike

I just tried with your squid.conf file and it works mostly as expected for me. All I changed in your squid.conf was I added an access_log line in order to log access attempts. The result was:

-> mail.google.com on it's own was blocked when accessed with http://mail.google.com or https://mail.google.com

-> http://mail.google.com/a/q3ait.org was allowed

-> https://mail.google.com/a/q3ait.org was denied. Looks like this fails because one gets redirected to the root directory at https://mail.google.com/ (which conflicts with the gmail ACL). Not sure at this point what a workaround for that would be. Regardless, you've got bigger fish to fry right now, as our Squid's are behaving differently with the same configurations.

The log for my access looks like:

Code:

1234469873.304      0 127.0.0.1 TCP_DENIED/403 1404 GET http://mail.google.com/ - NONE/- text/html
1234469899.034      0 127.0.0.1 TCP_DENIED/403 1396 CONNECT mail.google.com:443 - NONE/- text/html
1234469912.118    400 127.0.0.1 TCP_MISS/302 1302 GET http://mail.google.com/a/q3ait.org - DIRECT/74.125.19.18 text/html
1234469923.172  11036 127.0.0.1 TCP_MISS/200 8374 CONNECT www.google.com:443 - DIRECT/208.67.217.230 -
1234469923.264  10370 127.0.0.1 TCP_MISS/200 5132 CONNECT www.google.com:443 - DIRECT/208.67.217.231 -
1234469925.753      0 127.0.0.1 TCP_DENIED/403 1396 CONNECT mail.google.com:443 - NONE/- text/html

The last line corresponds to the failed attempt to access https://mail.google.com/a/q3ait.org.

Quote:

Originally Posted by win32sux https://mail.google.com/a/q3ait.org was denied. Looks like this fails because one gets redirected to the root directory at https://mail.google.com/ (which conflicts with the gmail ACL). Not sure at this point what a workaround for that would be.

Okay I seem to have found a workaround for this.

Basically, just use "www" instead of "mail" when accessing your app. So the whole thing could look like:

Code:

acl google_apps_http url_regex -i ^http://www.google.com/a/q3ait.org
acl google_apps_https url_regex -i ^https://www.google.com/a/q3ait.org
acl gmail dstdomain .mail.google.com
http_access allow google_apps_http
http_access allow google_apps_https
http_access deny gmail

EDIT: Please note that since Squid doesn't see an HTTPS URL (only the domain and port), one can't do regular expression matching on it. Therefore, the relevant line above is incorrect.

Thank you for the help. Initial testing looks good. This may be it.

I am very grateful.
--
Mike

Now I think I have a different problem. When I try to install software (in kubuntu/ubuntu) using apt-get, I get errors...

Code:

Err http://us.archive.ubuntu.com intrepid-updates/main konversation 1.1-0ubuntu2.1
  400 Bad Request [IP: 91.189.88.45 80]
Failed to fetch http://us.archive.ubuntu.com/ubuntu/pool/main/k/konversation/konversation_1.1-0ubuntu2.1_i386.deb  400 Bad Request [IP: 91.189.88.45 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

I wonder if this is because apt is trying to go to an IP?

Any ideas?

--
Mike

Quote:

Originally Posted by knichel Now I think I have a different problem. When I try to install software (in kubuntu/ubuntu) using apt-get, I get errors... Code: Err http://us.archive.ubuntu.com intrepid-updates/main konversation 1.1-0ubuntu2.1 400 Bad Request [IP: 91.189.88.45 80] Failed to fetch http://us.archive.ubuntu.com/ubuntu/pool/main/k/konversation/konversation_1.1-0ubuntu2.1_i386.deb 400 Bad Request [IP: 91.189.88.45 80] E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? I wonder if this is because apt is trying to go to an IP? Any ideas?

I don't know, although the error message is recommending that you run "apt-get update" to see if it helps. That said, please use a separate thread for this new, unrelated issue.