LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-13-2011, 09:21 AM   #1
bryanmuts2000
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Rep: Reputation: Disabled
Squid Configuration Help


I am trying to configure my squid to block access to certain websites facebook and twitter in this case.

After defining my acls and the corresponding http_access lines users are still able to access these websites.

I would also like to allow access to the proxy from 12:30 to 14:00 hrs only. I have yet to try this on the squid.conf file. I am running CentOs if someone could please help me with how I would achieve this below is my current squid.conf file starting from the ACL tag


# ACCESS CONTROLS
# -----------------------------------------------------------------------------

# : acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#
# acltype is one of the types described below
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
# acl aclname dst ip-address/netmask ... (URL host's IP address)
# acl aclname myip ip-address/netmask ... (local socket IP address)
#
# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# # The arp ACL requires the special configure option --enable-arp-acl.
# # Furthermore, the arp ACL code is not portable to all operating systems.
# # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
# #
# # NOTE: Squid can only determine the MAC address for clients that are on
# # the same subnet. If the client is on a different subnet, then Squid cannot
# # find out its MAC address.
#
# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
# acl aclname dstdomain .foo.com ... # Destination server from URL
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used and no match is found. The name "none" is used
# # if the reverse lookup fails.
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2
# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
# acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname myport 3128 ... # (local socket TCP port)
# acl aclname proto HTTP FTP ...
# acl aclname method GET POST ...
# acl aclname browser [-i] regexp ...
# # pattern match on User-Agent header (see also req_header below)
# acl aclname referer_regex [-i] regexp ...
# # pattern match on Referer header
# # Referer is highly unreliable, so use with care
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output.
# # use REQUIRED to accept any non-null ident.
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
# # those to mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname proxy_auth [-i] username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# # list of valid usernames
# # use REQUIRED to accept any valid username.
# #
# # NOTE: when a Proxy-Authentication header is sent but it is not
# # needed during ACL checking the username is NOT logged
# # in access.log.
# #
# # NOTE: proxy_auth requires a EXTERNAL authentication program
# # to check username/password combinations (see
# # auth_param directive).
# #
# # WARNING: proxy_auth can't be used in a transparent proxy. It
# # collides with any authentication done by origin servers. It may
# # seem like it works at first, but it doesn't.
#
# acl aclname snmp_community string ...
# # A community string to limit access to your SNMP Agent
# # Example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
# # more than <number> HTTP connections established.
#
# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
# # than <number> different ip addresses. The authenticate_ip_ttl
# # parameter controls the timeout on the ip entries.
# # If -s is specified the limit is strict, denying browsing
# # from any further IP addresses until the ttl has expired. Without
# # -s Squid will just annoy the user by "randomly" denying requests.
# # (the counter is reset each time the limit is reached and a
# # request is denied)
# # NOTE: in acceleration mode or where there is mesh of child proxies,
# # clients may appear to come from multiple addresses if they are
# # going through proxy farms, so a limit of 1 may cause user problems.
#
# acl aclname req_mime_type mime-type1 ...
# # regex match against the mime type of the request generated
# # by the client. Can be used to detect file upload or some
# # types HTTP tunneling requests.
# # NOTE: This does NOT match the reply. You cannot use this
# # to match the returned file type.
#
# acl aclname req_header header-name [-i] any\.regex\.here
# # regex match against any of the known request headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
# # ACLs.
#
# acl aclname rep_mime_type mime-type1 ...
# # regex match against the mime type of the reply received by
# # squid. Can be used to detect file download or some
# # types HTTP tunneling requests.
# # NOTE: This has no effect in http_access rules. It only has
# # effect in rules that affect the reply data stream such as
# # http_reply_access.
#
# acl aclname rep_header header-name [-i] any\.regex\.here
# # regex match against any of the known response headers.
# # Example:
# #
# # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
#
# acl acl_name external class_name [arguments...]
# # external ACL lookup via a helper class defined by the
# # external_acl_type directive.
#
# acl urlgroup group1 ...
# # match against the urlgroup as indicated by redirectors
#
# acl aclname user_cert attribute values...
# # match against attributes in a user SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ca_cert attribute values...
# # match against attributes a users issuing CA SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ext_user username ...
# acl aclname ext_user_regex [-i] pattern ...
# # string match on username returned by external acl
# # use REQUIRED to accept any user name.
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl facebook url_regex -i facebook
acl twitter url_regex -i twitter

acl localnet src 10.0.0.0/24
http_access allow localnet

# : follow_x_forwarded_for
# Allowing or Denying the X-Forwarded-For header to be followed to
# find the original source of a request.
#
# Requests may pass through a chain of several other proxies
# before reaching us. The X-Forwarded-For header will contain a
# comma-separated list of the IP addresses in the chain, with the
# rightmost address being the most recent.
#
# If a request reaches us from a source that is allowed by this
# configuration item, then we consult the X-Forwarded-For header
# to see where that host received the request from. If the
# X-Forwarded-For header contains multiple addresses, and if
# acl_uses_indirect_client is on, then we continue backtracking
# until we reach an address for which we are not allowed to
# follow the X-Forwarded-For header, or until we reach the first
# address in the list. (If acl_uses_indirect_client is off, then
# it's impossible to backtrack through more than one level of
# X-Forwarded-For addresses.)
#
# The end result of this process is an IP address that we will
# refer to as the indirect client address. This address may
# be treated as the client address for access control, delay
# pools and logging, depending on the acl_uses_indirect_client,
# delay_pool_uses_indirect_client and log_uses_indirect_client
# options.
#
# SECURITY CONSIDERATIONS:
#
# Any host for which we follow the X-Forwarded-For header
# can place incorrect information in the header, and Squid
# will use the incorrect information as if it were the
# source address of the request. This may enable remote
# hosts to bypass any access control restrictions that are
# based on the client's source addresses.
#
# For example:
#
# acl localhost src 127.0.0.1
# acl my_other_proxy srcdomain .proxy.example.com
# follow_x_forwarded_for allow localhost
# follow_x_forwarded_for allow my_other_proxy
#
#Default:
# follow_x_forwarded_for deny all
follow_x_forwarded_for allow localhost

# : acl_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in acl matching.
#
#Default:
# acl_uses_indirect_client on

# : delay_pool_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in delay pools.
#
#Default:
# delay_pool_uses_indirect_client on

# : log_uses_indirect_client on|off
# Controls whether the indirect client address
# (see follow_x_forwarded_for) is used instead of the
# direct client address in the access log.
#
#Default:
# log_uses_indirect_client on

# : http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

http_access deny facebook
http_access deny twitter
 
Old 09-13-2011, 12:35 PM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,890

Rep: Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608
Hi,

You can use something like the following:
Code:
acl forbidden dstdomain .facebook.com .twitter.com
acl hours time MTWHF 12:30-14:00
...
http_access deny forbidden
http_access deny !hours
http_access allow localnet
http_access deny all

Last edited by bathory; 09-14-2011 at 01:48 AM.
 
Old 10-05-2011, 05:14 AM   #3
bryanmuts2000
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
Done, but more help required

Sorry for the late response. I was not feeling well for a couple of weeks hence the no show.

I have managed to implement the blocking using your suggestion. My syntax was correct all along it was just a matter of misplacement of the acl lines.

Now another question How would I allow certain I.P addresses (lets say 10.0.0.177, 10.0.0.48) to be able to browse all the time whilst restricting the other computers to the allowed 1hr 30mins as is current.
 
Old 10-05-2011, 06:29 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,890

Rep: Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608Reputation: 1608
You create an acl for those IPs and place an "allow" rule before the "deny" that is based on hours, e.g.
Code:
...
acl good_ips src 10.0.0.177 10.0.0.48
...
http_access deny forbidden
http_access allow good_ips
http_access deny !hours
...
If you also want to allow those IPs to visit the block sites and put the "allow" line 1st.
Don't forget that the allow/deny rules are read from top to bottom and when the 1st rule is met everything else is ignored

Regards

Last edited by bathory; 10-05-2011 at 06:30 AM.
 
Old 10-05-2011, 06:51 AM   #5
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: RHEL 7.x, SLES 11 SP2/3/4
Posts: 1,195
Blog Entries: 4

Rep: Reputation: 221Reputation: 221Reputation: 221
If you want to deny websites from being used through squid then here is what you need to do

Inside /etc/squid make a file

Code:
#cd /etc/squid

#vi bad-url.acl
.facebook.com
.twitter.com
Code:
#vi squid.conf

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl blocksites url_regex "/etc/squid/bad-url.acl"
http_access deny blocksites
put this entry in /etc/squid.conf

restart the server
 
Old 10-05-2011, 07:31 AM   #6
bryanmuts2000
LQ Newbie
 
Registered: Sep 2011
Posts: 8

Original Poster
Rep: Reputation: Disabled
@deep27ak - I have already managed to do that, thanks anyway.

@bathory - yo last paragraph just made my life a whole lot easier, the reason my acl's have not been working at times is the placement of the deny/allow lines now that you have explained the order in which the acl's are interpreted I don't think i will be having any problems. with acl's in squid.

Thanks a lot

You may also want to help me with this thread
http://www.linuxquestions.org/questi...nloads-906506/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with configuration of Squid server behind a squid ajitup Linux - Server 13 08-12-2009 11:55 PM
Squid configuration saran_redhat Linux - Server 1 07-10-2009 02:38 PM
squid configuration chandanperl Linux - Software 0 02-18-2008 06:50 AM
Squid configuration Drunkalot Linux - Networking 1 03-10-2006 05:18 AM
Squid: special configuration for remote Squid server hamish Linux - Software 0 12-06-2005 04:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration