unable to block https in squid
Greetings to All,
I want setup acl that will prevent access to limited websites but having issue to with https:// I tried https://facebook.com it opened that same gmail or orkut. here is my acl Code:
##Clients those are allowed to surf Regards Net_Spy |
yes you need to block https...
acl secure proto https http_access deny securehttp |
@Net_spy: Are you trying to deny access to all https or just a few select hosts over https?
|
Thanks for you response but it does not work for me I can still access to https://www.facebook.com or such other website . well I want to block such website like facebook , orkut , gmail these are the website that opens with https aswell .
Regards Net_Spy |
Something like this might do:
Code:
acl CONNECT method CONNECT Keep in mind that in the access control entries I posted above, dst will tell squid to resolve the hostnames to IP addresses at parse time. This means that if e.g. facebook or orkut should change IP info, squid will not know about the change. ------- edit: I was just doing some experimenting -- see if this works as well: Code:
acl CONNECT method CONNECT |
well that does not work too have checked that rule by yourself , hope it will be resolved soon.
Regards Net_Spy |
I tested both options with squid 3.0.STABLE18, and both worked OK.
Post the acl-related entries from your squid.conf here. (Use code tags, please.) |
Net_Spy, using dstdomain works for domains accessed with either HTTP or HTTPS. You should make sure you don't have some other ACL granting access. It's hard for us to tell what's going on since we don't have a complete view of the relevant section of your squid.conf. Also, keep in mind that stuff like this won't work for HTTPS:
Quote:
|
Following are the only acls that im using beside that ive safe port acl and virusport ssl thats it. Ive changed url_regex to dstdomain. but still same
I dont know what is wrong should. Code:
Code:
acl SSL_ports port 443 8443 563 8383 2095 Regards Net_Spy |
I don't see any of our suggestions in your squid.conf.
|
anomie I've tried that suggestions aswell but it didnt work for me it is my
acl part in my squid.conf./ [CODE] ########################################### # ACL Rules To Allow/Block # Websites ########################################### acl myclnts src "/home/scripts/ncc.squid" acl flr-mgr src "/home/scripts/flr-mgr" acl alwurl dstdomain "/home/scripts/alwurl" acl CONNECT method CONNECT acl httpsfail dstdomain .facebook.com acl httpsfail dstdomain .orkut.com ## Following rule will allow only those site which are allowed for ncc.squid http_access allow alwurl myclnts http_access deny myclnts deny_info ERR_NCC myclnts http_access allow flr-mgr <== allow access to supervisors http_access deny httpsfail http_access deny CONNECT #acl webaccess1 url_regex .google.com .yahoo.com #acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients #http_access deny youtube1 ## This rule will block youtube for all clients #http_access deny all [CODE] Regards Net_Spy |
Try like this instead:
Code:
########################################### |
Quote:
Code:
acl totalfail dstdomain .facebook.com |
Ive tried that aswell but still I can access to it . using https://www.facebook.com or gmail or orkut. my squid version is 2.6 .
Regards Net_Spy |
You did stick those lines at the top of your file, right? Because otherwise, we'd still have doubts about another ACL granting access. Also, is this Squid running in transparent mode? If so, verify that the clients are configured to use Squid for HTTPS. I've seen many cases in which administrators forgot that only HTTP gets transparently proxied, while HTTPS would be getting SNATed if not filtered. BTW, what does the log file look like when you access, say, Facebook?
|
All times are GMT -5. The time now is 10:42 AM. |