LinuxQuestions.org - [SOLVED] squid3 acl's

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - squid3 acl's (https://www.linuxquestions.org/questions/linux-newbie-8/squid3-acls-947143/)

Hi, I need some help with squid acl that doesn't seems to be working. I have install squid3 and it seems to be routing the traffic. In the squid.conf file I have put a acl but it's not working.

Code:

acl bad_sites dstdomain .facebook.com



http_access deny bad_sites

I can post the config file but not sure how to easily remove comments from the config file. Thanks

Hi,

Quote:

I can post the config file but not sure how to easily remove comments from the config file.

You can use:

Code:

grep -v ^# squid.conf > squid.conf.txt

Regards

Thanks!!!. Here is the conf file

Code:

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl bad_sites dstdomain *.facebook.com

acl nav src 192.168.0.0/16      # RFC1918 possible internal network







acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl CONNECT method CONNECT







http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access allow nav

http_access deny bad_sites

http_access deny all





http_port 8080





coredump_dir /var/spool/squid3





refresh_pattern ^ftp:          1440    20%    10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%      0

refresh_pattern (Release|Packages(.gz)*)$      0      20%    2880

refresh_pattern .              0      20%    4320

So, what exactly is not working?
If you want to deny access to bad_sites for your LAN, you should use the "http_access deny bad_sites" directive, before the "http_access allow nav"

Code:

<snip>

http_access deny bad_sites

http_access allow nav

http_access deny all

<snip>

Regards

What if you try to change the acl from dstdomain to url_regex or url_path_regex? Does this work? But this will be more restrictive and you need to understand how it will work.

Thanks!!!. I will give this both suggestions a try later today and let you know the results.

The bad_sites .facebook.com is not blocked by the acl. And I will try to read up on regex as well and see how that works. Thanks!

Thanks!!!..that was it. Putting the bad_sites before nav fixed it!!

The only other thing is that I have to reboot the server for the changes to take effect. I have tried restarting squid3 by "sudo squid3 restart" but that does not work. I do not get any errors with the command it's just any changes won't take effect until I reboot. Is there any trick to restarting squid without rebooting the server? Thanks!

I have ubuntu 12.04 running in VMware Player. Thanks!

Shouldn't have to reboot. Try sudo squid stop then watch it stop and start squid. Then check the logs for any error messages.

Thanks Zetec!...so I followed your instructions and found something interesting

While watching the cache.log of squid with "tail -f" whenever I do a "sudo squid3 stop" in the log it says "Squid is already running Proccess ID 733"

So it looks like that might be the culprit. Any ideas?. I will do a google search in the meantime. Thanks!

so google found me a command that seemed to have worked "sudo squid3 -k shutdown".

Wondering why the "sudo squid3 stop" didn't work. Thanks for all the help!

EDIT: lol looking at squid3 --help says to use "sudo squid3 -k shutdown" command. I guess the old squid version used the stop command not this one. Thanks for all the help guys!!

There you go. Glad you got it sorted. :). Beats rebooting the server every time. ;).

Quote:

You can use:

Code:

sudo /etc/init.d/squid3 restart