Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Greetings to All,
I want setup acl that will prevent access to limited websites but having issue to with https:// I tried https://facebook.com it opened that same gmail or orkut. here is my acl
Code:
##Clients those are allowed to surf
acl myclnts src "/home/scripts/ncc.squid"
acl alwurl url_regex -i "/home/scripts/alwurl"
## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny test
http_access deny myclnts
deny_info ERR_NCC myclnts
Thanks for you response but it does not work for me I can still access to https://www.facebook.com or such other website . well I want to block such website like facebook , orkut , gmail these are the website that opens with https aswell .
Denying access to specific https sites gets a little tricky.
Keep in mind that in the access control entries I posted above, dst will tell squid to resolve the hostnames to IP addresses at parse time. This means that if e.g. facebook or orkut should change IP info, squid will not know about the change.
-------
edit: I was just doing some experimenting -- see if this works as well:
Net_Spy, using dstdomain works for domains accessed with either HTTP or HTTPS. You should make sure you don't have some other ACL granting access. It's hard for us to tell what's going on since we don't have a complete view of the relevant section of your squid.conf. Also, keep in mind that stuff like this won't work for HTTPS:
Quote:
Originally Posted by Net_Spy
acl alwurl url_regex -i "/home/scripts/alwurl"
Squid doesn't see the URL when using HTTPS (only the host name and port number).
Following are the only acls that im using beside that ive safe port acl and virusport ssl thats it. Ive changed url_regex to dstdomain. but still same
I dont know what is wrong should.
Code:
######################################################
# Always direct and don't cached local destinations ##
######################################################
acl directdsts dst 10.0.0.0/255.0.0.0
always_direct allow directdsts
no_cache deny directdsts
###########################################
# ACL Rules To Allow/Block
# Websites
###########################################
acl myclnts src "/home/scripts/ncc.squid"
acl flr-mgr src "/home/scripts/flr-mgr"
acl alwurl dstdomain "/home/scripts/alwurl"
## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny myclnts
deny_info ERR_NCC myclnts
http_access allow flr-mgr <== allow access to supervisors
#acl webaccess1 url_regex .google.com .yahoo.com
#acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients
#http_access deny youtube1 ## This rule will block youtube for all clients
#http_access deny all
Code:
acl SSL_ports port 443 8443 563 8383 2095
acl Safe_ports port 2095 # http
acl Safe_ports port 80 # http
acl Safe_ports port 82 # http
acl Safe_ports port 4000 # chatpk
acl Safe_ports port 81 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 20 # ftp
acl Safe_ports port 8443 # https
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl VirusPorts port 69 135 137 138 139 153 707 445 9996 5554 4444 27374 31337 1214 6346 4444 10008 65535 12345 27374 31335-31337 5556 9996 8866 3127-3198 995-997 8998 1434
http_access deny VirusPorts
http_access allow manager localhost
http_access allow manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow adminclients
http_access deny VirusPorts
http_access allow manager localhost
http_access allow manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access allow adminclients
# And finally deny all other access to this proxy
http_access deny all
# http_reply_access allow all
http_reply_access allow all
## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny myclnts
deny_info ERR_NCC myclnts
http_access allow flr-mgr <== allow access to supervisors
http_access deny httpsfail
http_access deny CONNECT
#acl webaccess1 url_regex .google.com .yahoo.com
#acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients
#http_access deny youtube1 ## This rule will block youtube for all clients
#http_access deny all
###########################################
# ACL Rules To Allow/Block
# Websites
###########################################
acl myclnts src "/home/scripts/ncc.squid"
acl flr-mgr src "/home/scripts/flr-mgr"
acl alwurl dstdomain "/home/scripts/alwurl"
acl CONNECT method CONNECT
# Following three lines added by friends at LQ
acl httpsfail dstdomain .facebook.com
acl httpsfail dstdomain .orkut.com
http_access deny httpsfail CONNECT
## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny myclnts
deny_info ERR_NCC myclnts
http_access allow flr-mgr <== allow access to supervisors
#acl webaccess1 url_regex .google.com .yahoo.com
#acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients
#http_access deny youtube1 ## This rule will block youtube for all clients
#http_access deny all
# Following three lines added by friends at LQ
acl httpsfail dstdomain .facebook.com
acl httpsfail dstdomain .orkut.com
http_access deny httpsfail CONNECT
I'm curious as to why you're explicitly denying the CONNECT method. That would imply that you actually do want to allow HTTP, wouldn't it? Something like this would take care of both HTTP and HTTPS:
You did stick those lines at the top of your file, right? Because otherwise, we'd still have doubts about another ACL granting access. Also, is this Squid running in transparent mode? If so, verify that the clients are configured to use Squid for HTTPS. I've seen many cases in which administrators forgot that only HTTP gets transparently proxied, while HTTPS would be getting SNATed if not filtered. BTW, what does the log file look like when you access, say, Facebook?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
