LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-27-2009, 10:27 AM   #1
uwa45
Member
 
Registered: Oct 2006
Location: Lagos,Nigeria
Distribution: Fedora core 3, Redhat 9.0,Centos 4.6
Posts: 43

Rep: Reputation: 15
squid acl stopped working


Hi all, i have a centos 4.6 setup as a internet gateway router for my office.i installed squid and did transperant caching using iptables rules.
i also configured squid to block sites that are not needed.
this setup was working fine untill i discovered that squid no longer block sites i have list in the block list.it is very strange to me pls i need to know what to do to remedy the issue. below ia my squid.conf file. thanks.

Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Netlibrary_Network src 10.234.10.0/255.255.255.0
acl Netlibrary_Server2 src 10.234.10.2
acl Netlibrary_Server3 src 10.234.10.3
acl filter_sites dstdomain "/etc/squid/blocked_sites.acl"
acl filter_files urlpath_regex "/etc/squid/blocked_files.acl"
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access allow Netlibrary_Network
http_access allow Netlibrary_server2
http_access allow Netlibrary_server3
# Deny requests to unknown ports
#http_access allow Netlibrary_servers
# Deny CONNECT to other than SSL ports
http_access allow localhost
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
# DENY ALL BLOCKED EXTENSION
deny_info ERR_BLOCKED_FILES blocked_files
deny_info ERR_BLOCKED_SITES blocked_sites
http_access deny manager
http_access deny filter_sites
http_access deny filter_files
http_access deny !Safe_ports

# And finally deny all other access to this proxy
http_access deny CONNECT !SSL_ports
http_access deny all
 
Old 07-28-2009, 04:21 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
What's in /etc/squid/blocked_sites.acl? Do you access logs confirm that the users are indeed going through the proxy (and being allowed to access content that you'd expect to be blocked)? Are your cache logs showing any errors?
 
Old 07-28-2009, 05:05 PM   #3
pliqui
Member
 
Registered: Feb 2007
Location: Caracas, Venezuela
Distribution: Debian x64
Posts: 156

Rep: Reputation: 17
try to change
Code:
acl filter_files urlpath_regex "/etc/squid/blocked_files.acl"

for

acl filter_files urlpath_regex -i "/etc/squid/blocked_files.ac
'-i' is for making it to read both cases.

I have my blocking code like this

Code:
acl bad_url url_regex "/etc/squid3/bad-sites.acl"
and move this section

Code:
# DENY ALL BLOCKED EXTENSION
deny_info ERR_BLOCKED_FILES blocked_files
deny_info ERR_BLOCKED_SITES blocked_sites
http_access deny manager
http_access deny filter_sites
http_access deny filter_files
http_access deny !Safe_ports
after this line
Code:
http_access allow manager localhost
Then continue to with the http_access

Last edited by pliqui; 07-28-2009 at 05:18 PM.
 
Old 07-29-2009, 06:11 AM   #4
chitambira
Member
 
Registered: Oct 2008
Location: Online
Distribution: RHEL, Centos
Posts: 373
Blog Entries: 1

Rep: Reputation: 51
Note: that the config file is read top down, and if a match is found, the processing is NOT continued.
So in this case, as long as you have http_access allow Netlibrary_Network before your denies, all users who are withing that particular network are allowed to browse any site.

Best way (best practice)of configuring your proxy server is
1. first deny all external network (keep off your bad guys by the first match)
2. allow your network users with appropriate restrictions
3. deny anyone else

eg.

Quote:
http_access deny !my_local_network
http_access allow my_local_network !badsites !badfiles
http_access deny all
The above rules are read as:
#deny everyone who is not part of my network
#allow all my network users as long as they are not trying to browse badsites or downloading bad files
#deny everything else

Last edited by chitambira; 07-29-2009 at 07:13 AM.
 
Old 07-31-2009, 10:08 AM   #5
uwa45
Member
 
Registered: Oct 2006
Location: Lagos,Nigeria
Distribution: Fedora core 3, Redhat 9.0,Centos 4.6
Posts: 43

Original Poster
Rep: Reputation: 15
Hi all, thanks for your suggestions and help. i got it working with all what you guys told me.
 
Old 07-31-2009, 03:27 PM   #6
pliqui
Member
 
Registered: Feb 2007
Location: Caracas, Venezuela
Distribution: Debian x64
Posts: 156

Rep: Reputation: 17
Glad to help, chitambira's comments explained far more better what i told you. But good to know your solve your issues.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid acl Winanjaya Linux - Server 1 04-23-2009 12:03 PM
src ACL not working right in Squid bslag Linux - Security 5 05-10-2008 02:00 PM
ACL not working in Squid Ahmad Gurchani Linux - Security 1 05-02-2006 07:49 PM
Squid acl help cgelectek Linux - Networking 3 11-11-2005 12:04 AM
Squid ACL zeroability Linux - Networking 2 01-13-2003 10:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration