ACLS
 

Good morning everyone!

I have a situation, here in the office, which is as follows:
I have some files allocated in the folder: /etc/squid/rules/
And I add computers with fullAcess to acess web, according to the rules.

Just one example: /etc/squid/rules/enable_for_macadress.txt
Before it was working normally. Now, when I do, work fine but after a few minutes,
It returns with an earlier setting.

Already used vim, vi, etc. With all as options: x! Wq !, Etc. and soon in: squid -k reconfigure
Even webmin itself happens this event.

I've recreated all the files, and it did not work.

Any help?



> df -h
Filesystem Size Used Avail Use% Mounted on
/dev/md1 9.5G 577M 8.5G 7% /
tmpfs 1.9G 144K 1.9G 1% /dev/shm
/dev/md0 190M 70M 110M 39% /boot
/dev/md2 9.5G 1.3G 7.8G 15% /usr
/dev/md3 24G 12G 13G 49% /var
/dev/md5 405G 41G 344G 11% /var/spool
/dev/sda6 9.5G 5.5G 3.6G 61% /var/squid1
/dev/sdb6 9.5G 5.5G 3.6G 61% /var/squid2

Are these computers on a different subnet then a squid box?

Did you recently change versions of squid?

Nops!

My squid.conf

#
# Squid normally listens to port 3128
http_port 3128
http_port 4040 transparent

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid1 6144 16 512
cache_dir ufs /var/squid2 6144 16 512

cache_mem 512 MB

acl aeon src 177.19.158.163
# Leave coredumps in the first cache dir
coredump_dir /var/squid

acl manager proto cache_object
acl webserver src 192.168.1.1 127.0.0.1
http_access allow manager webserver
http_access deny manager

visible_hostname SIRIUS

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 :: 1
# Example rule allowing access from your local networks.
# IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet2 src 192.168.1.0/24 # RFC1918 possible internal network
acl tolocalnet2 dst 192.168.1.0/24 # RFC1918 possible internal network
acl SSL_ports port 443 563
acl SSL_ports port 9443
acl Safe_ports port 80 88 8080 20 7878 # http
acl Safe_ports port 1863 # msn
acl Safe_ports port 21 20 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8530 # Serviço WSUS Microsoft
acl Safe_ports port 5024 # Software Banco Central
acl Safe_ports port 3007 # multiling http
acl Safe_ports port 3456 # multiling http
acl Safe_ports port 2631 # multiling http
acl Safe_ports port 445 # Java
acl Safe_ports port 403 3607 3613 # Vimeo
acl Safe_ports port 90 # COAD
acl CONNECT method CONNECT


#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl site_ok dstdomain "/etc/squid/rules/ok_sites.txt"
acl word_site_ok url_regex -i "/etc/squid/rules/ok_sites.txt"
http_access allow site_ok
http_access allow word_site_ok
http_access allow SSL_ports Safe_ports site_ok

acl secretaria_diretoria arp 40:8d:5c:c0:e5:5f
http_access allow secretaria_diretoria
http_access allow SSL_ports secretaria_diretoria
http_access allow Safe_ports secretaria_diretoria

acl libera_por_mac arp "/etc/squid/rules/libera_por_mac.txt"
http_access allow libera_por_mac

acl gmail dstdomain .gmail.com

acl fazenda url_regex .fazenda.rj.gov.br

acl gov dstdomain .gov.com .gov.com.br .gov.br

acl captcha url_regex recaptcha

acl bancos dstdomain "/etc/squid/rules/bancos.txt"

acl GD dstdomain drive.google.com

acl docs dstdomain docs.google.com

acl domains_bloq dstdomain -i "/etc/squid/rules/domains"

acl dst_ip_bloq dst "/etc/squid/rules/dst_bloq"

acl words_bloq url_regex -i "/etc/squid/rules/words"

acl block_text url_regex -i "/etc/squid/rules/block_text.txt"

acl block_site dstdomain "/etc/squid/rules/block_sites.txt"

### RESTRIÇÃO POR HORÁRIOS GLPI 2016080223
acl excep_hora dstdomain "/etc/squid/rules/libera_hr_almoco.txt"
acl timealmoco_acl time M T W H F 12:00-12:59

http_access deny gmail
http_access allow fazenda
http_access allow captcha

no_cache deny gov
http_access allow gov
http_access allow bancos
http_access allow excep_hora timealmoco_acl
http_access allow GD
http_access allow docs

http_access allow tolocalnet2

# POLÍTICAS DE BLOQUEIO
error_directory /etc/squid/err_page

deny_info acessonegado.html all
deny_info acessonegado.html domains_bloq !bancos !gov

http_access deny domains_bloq !bancos !gov

deny_info acessonegado.html dst_ip_bloq

http_access deny dst_ip_bloq

deny_info acessonegado.html words_bloq !bancos !gov
http_access deny words_bloq !bancos !gov

deny_info acessonegado.html block_text
http_access deny block_text

deny_info acessonegado.html block_site
http_access deny block_site

acl dst_peixeurbano dstdomain .peixeurbano.com.br
acl src_peixeurbano src 192.168.1.75
acl port_peixeurbano port 443
http_access allow src_peixeurbano port_peixeurbano dst_peixeurbano

acl dst_nutricaokonig dstdomain .nutricaokonig.com.br
http_access allow dst_nutricaokonig

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow aeon
http_access allow localnet
http_access allow localnet2
http_access allow localhost
http_access allow to_localhost


# Recommended minimum Access Permission configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

# And finally deny all other access to this proxy
http_access deny all

OK, squid follows the first matching rule, and ignores any subsequent matches. So, you really have to pay attention to the order of the rules.

This happens in any file that I make change inside /etc/squid/rules/

Problem Solved!
squid -k parse show me what wrong.. before update my problem has solved.