Squid Error while blocking sites

winxandlinx · 06-23-2006, 03:11 AM

Hi Everyone

I am using redhat 9 ,i am trying to block

google.com in the squid i done it after that when i am

restarting the squid ,i am getting the error like

[root@kmglinux squid]# service squid restart
Stopping squid: 2006/06/23 13:02:11| squid.conf line 1738: acl rider google.com
2006/06/23 13:02:11| aclParseAclLine: Invalid ACL type 'google.com'
2006/06/23 13:02:11| squid.conf line 1744: http_access deny rider
2006/06/23 13:02:11| aclParseAccessLine: ACL name 'rider' not found.
2006/06/23 13:02:11| squid.conf line 1744: http_access deny rider
2006/06/23 13:02:11| aclParseAccessLine: Access line contains no ACL's, skipping
[ OK ]
Starting squid: . [ OK ]

This is the squid where i made changes

acl our_networks src 10.159.207.0/24
acl rider google.com

http_access allow our_networks

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny rider

Helping this issue will be very much appriciated

Thanks & Regards
winxandlinx

prozac · 06-23-2006, 03:54 AM

@squid.conf
Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line

where is your acltype?
you will need something like "url_regex -i" in front of google.com.

winxandlinx · 06-23-2006, 04:12 AM

Can you somewhat briefly

i cannot able to understand since i am new to linux

can you directly tell me the code

i mean is acl name is rider and site to block is google.com

You can directly give me the code for this issue

Thanks & Regards
winxandlinx

prozac · 06-23-2006, 04:16 AM

Code:

acl rider url_regex -i google.com

instead of

Quote:

acl rider google.com

as in

Quote:

acl our_networks src 10.159.207.0/24 where

acl=acl
aclname=our_networks
acltype=src
string1=10.159.207.0/24

got it?

Notwerk · 06-24-2006, 02:24 AM

A suggestion:
Create a file /etc/squid/blocked_domains which would contain a list of all the domains you want to block each on a separate line. Which would look something like this:

Code:

#touch /etc/squid/blocked_domains
#vi /etc/squid/blocked_domains
xxx
.sex.com
.google.com

Then chown the file to root.squid and chmod it to 640

Code:

#chown root.squid /etc/squid/blocked_domains
#chmod 640 /etc/squid/blocked_domains

Finally, add this acl:

Code:

acl BLOCKED_DOMAINS dstdom_regex -i "/etc/squid/blocked_domains"
http_access deny BLOCKED_DOMAINS

This way you can manage the blocked domains using the the file /etc/squid/blocked_domains without revisitng the squid settings.

REMEMBER to reload squid if you make changes to the file

Code:

#/etc/init.d/squid reload

One more IMPORTANT note:
Squid processes your rules in sequential order, so using:

Code:

acl OUR_NETWORKS src 10.159.207.0/24
http_access allow OUR_NETOWRKS

acl BLOCKED_DOMAINS dstdom_regex -i "/etc/squid/blocked_domains"
http_access deny BLOCKED_DOMAINS

will allow all machines on the 10.159.207.0/24 network unrestricted access, since the deny rule will not be tested for any hosts coming from the defined network.
As a general rule, you should put all your DENY rules BEFORE any ALLOW rules, then check the order of each group to insure they are being enforced correctly.

Hope this was useful

winxandlinx · 06-28-2006, 02:10 AM

Yes i did but its not working

i dont know where i went wrong may be

yes just have a look at the code

Here my squid.conf file

acl our_networks src 10.159.207.0/24

http_access allow our_networks

# And finally deny all other access to this proxy
http_access allow localhost
acl BLOCKED_DOMAINS dstdom_regex -i "/etc/squid/blocked_domains"
http_access deny BLOCKED_DOMAINS

my blocked_domains file here

[root@kmglinux squid]# vi blocked_domains
www.google.com
.google.com

~
You will be very much appriciated if any one help out of this issue

Thanks & Regards
winxandlinx

prozac · 06-28-2006, 05:34 AM

instead of this,

Code:

acl our_networks src 10.159.207.0/24

http_access allow our_networks

# And finally deny all other access to this proxy
http_access allow localhost
acl BLOCKED_DOMAINS dstdom_regex -i "/etc/squid/blocked_domains"
http_access deny BLOCKED_DOMAINS

I think it should be like this

Code:

# And finally deny all other access to this proxy
http_access allow localhost
acl BLOCKED_DOMAINS dstdom_regex -i "/etc/squid/blocked_domains"
http_access deny BLOCKED_DOMAINS
http_access allow our_networks

winxandlinx · 06-28-2006, 06:31 AM

Still its not working

now my squid.conf file is

# And finally deny all other access to this proxy
And finally deny all other access to this proxy
http_access allow localhost
acl BLOCKED_DOMAINS dstdom_regex -i "/etc/squid/blocked_domains"
http_access deny BLOCKED_DOMAINS
http_access allow our_networks
acl our_networks src 10.159.207.0/24

and after saving this i had restared the squid

so i am getting the error

[root@kmglinux squid]# service squid restart
Stopping squid: 2006/06/28 17:01:25| parseConfigFile: line 1736 unrecognized: 'And finally deny all other access to this proxy'
2006/06/28 17:01:25| squid.conf line 1740: http_access allow our_networks
2006/06/28 17:01:25| aclParseAccessLine: ACL name 'our_networks' not found.
2006/06/28 17:01:25| squid.conf line 1740: http_access allow our_networks
2006/06/28 17:01:25| aclParseAccessLine: Access line contains no ACL's, skipping

prozac · 06-28-2006, 06:37 AM

oh! sorry! but did you just copy/paste? comon' get a lil' bit smart. i missed this and so did you:

Quote:

acl our_networks src 10.159.207.0/24

since our_networks have not been defined with acl you are getting that error:

new code:

Code:

# And finally deny all other access to this proxy
acl our_networks src 10.159.207.0/24
http_access allow localhost
acl BLOCKED_DOMAINS dstdom_regex -i "/etc/squid/blocked_domains"
http_access deny BLOCKED_DOMAINS
http_access allow our_networks

prozac · 06-28-2006, 06:39 AM

also delete this line or comment it:

Quote:

And finally deny all other access to this proxy

winxandlinx · 06-28-2006, 07:44 AM

This time i did not get any error

But the blocking site rule is not working

That is i can able to access the site google.com

By the rule i should not able to get the access

Even if you have squid.conf file just give me

which also helps me

Even if you are in online you can give me your chat id also '

if you are interested

Thanks for your replay

and still waithing for thge solutions

prozac · 06-28-2006, 09:35 AM

DO NOT COPY/PASTE. Instead read it and follow it.

Code:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
#your network, replace x.x.x.x/x.x.x.x with your own network address
acl your_network_name_here src x.x.x.x/x.x.x.x

### Deny some specific ip's known for mischief
acl DENY1 src x.x.x.x 
http_access deny DENY1

#### Allow everything to some people
acl privileged_user src x.x.x.x/x
http_access allow privileged_user

############################# RULES ############################3
## GAMES ::
acl GAMES url_regex -i .candystand.com.* .miniclip.com.* .shockwave.com .e-messenger.net .msn2go.com
http_access deny GAMES

## to deny certain website at business hours
acl WEB url_regex -i .*google.com.*
acl business_hours time S M T W H F 8:30-18:30
http_access allow your_network_name_here WEB
http_access deny WEB business_hours

### To Block downloading ###
acl extndeny url_regex -i "/etc/squid/denied_ext"
acl download method GET

#allow user_X to download
http_access allow user_X extndeny
http_access deny denied_ext download
http_access deny extndeny

# Banned sites and Services
acl bad_ip dst "/etc/squid/banned_ip.txt"
acl bad_domains dstdomain "/etc/squid/banned_domain.txt"

http_access deny bad_ip your_network_name_here
http_access deny bad_domains your_network_name_here

..

winxandlinx · 06-29-2006, 03:53 AM

Can You give me any full sample file

Because sometime the error is happening due to inserting the line may be at not

exact place

winxandlinx · 06-29-2006, 03:56 AM

Just give me code with the following details

my local ips are 10.160.56/0 whole network

and i want to block google.com

If you can give me a code for this issue then it will be very much appricated

prozac · 06-29-2006, 04:09 AM

#12 is your best bet, take it or leave it.