LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-24-2006, 11:07 PM   #1
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Rep: Reputation: 30
Squid Configuration Questions!


hello friends i have a few questions about squid...hope you can help me.

1. i used this tag
acl mynetwork myipaddress/24
http_access allow mynetwork
http_acces deny all
-but when i run squid it says that i have to identify "all"
i searched the net and i saw examples using "!all" so i try to use it and it work. whats the use of "!"?. and what is the effect if i changed "http_deny !all" with "http_access deny !mynetwork"? is it the same with "http_access deny !all"

2.how do you stop squid when its already running?

3.are the ports assigned to safe_ports tag are the only ports that my network are going to use and the rest of the ports are blocked by default?

4.what security features does squid offers?

-SBN-
 
Old 07-25-2006, 01:25 AM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
i used this tag
acl mynetwork myipaddress/24
http_access allow mynetwork
http_acces deny all
-but when i run squid it says that i have to identify "all"
make sure you have a line like this before those:
Code:
acl all src 0.0.0.0/0.0.0.0
Quote:
i searched the net and i saw examples using "!all" so i try to use it and it work. whats the use of "!"?. and what is the effect if i changed "http_deny !all" with "http_access deny !mynetwork"? is it the same with "http_access deny !all"
! is an invert... it inverts the purpose of the rule... for example:
Code:
http_access deny !Safe_ports
this example says "deny those connections which do NOT match the Safe_ports ACL"...

you don't normally need to use an invert with "all"...

Quote:
how do you stop squid when its already running?
like this:
Code:
squid -k shutdown
Quote:
are the ports assigned to safe_ports tag are the only ports that my network are going to use and the rest of the ports are blocked by default?
yes, those are the ports which squid will allow connections to... in other words, if you have:
Code:
acl Safe_ports port 80 8080 21
then squid will only allow connections from clients if they are connecting to either of those three ports on the remote server...

Quote:
what security features does squid offers?
well, it provides the option to use authentication for access, for example... i'm sure someone more knowledgeable than me can come-up with a list of security features squid includes... keep in mind that squid isn't a security application in and of itself, so don't expect too much from it...

Last edited by win32sux; 07-25-2006 at 01:59 AM.
 
Old 07-25-2006, 02:33 AM   #3
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
thanks for the answers they realy help.

i got another questions...

1. whenever i run squid and type the command squid in the terminal this error showed up "determine fully qualified hostname. please set visibible_hostname" in which in the squid.conf i already set this tag "visible_hostname UBUNTU"
UBUNTU(im using ubuntu linux) is the name of my linux pc. it always showed that error so to run squid i attached "./" to the command. so whenever i run squid is use "sudo ./squid". is that ok?

2.i read the squid manual and it says that it is possible to block specific sites. my question now is, is it possible to the reverse, to block all websites and allow only those i will specify? if so what tag is that? or can you give me some examples...

-SBN-
 
Old 07-25-2006, 02:49 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
thanks for the answers they realy help.
you're very welcome!!!

Quote:
whenever i run squid and type the command squid in the terminal this error showed up "determine fully qualified hostname. please set visibible_hostname" in which in the squid.conf i already set this tag "visible_hostname UBUNTU"
UBUNTU(im using ubuntu linux) is the name of my linux pc. it always showed that error so to run squid i attached "./" to the command. so whenever i run squid is use "sudo ./squid". is that ok?
well, it sounds like two separate issues to me... one is the hostname thing... and the other is the sudo thing... i don't see anything wrong with using sudo to start squid... i would just double-check to make sure squid is running as a non-root user to be safe... as for the hostname thing, i'm not sure why it doesn't work... try setting it to something else just to test... maybe something like:
Code:
visible_hostname ubuntu.example.net
but i'm not sure i fully understand what you mean... are you saying that when you do it with sudo you don't get that error??

Quote:
i read the squid manual and it says that it is possible to block specific sites. my question now is, is it possible to the reverse, to block all websites and allow only those i will specify? if so what tag is that? or can you give me some examples...
yes, you can whitelist websites instead of blacklisting them...

i think it would go something like this example:
Code:
acl okaysites dstdomain google.com cnn.com slashdot.org
http_access deny !okaysites

Last edited by win32sux; 07-25-2006 at 02:53 AM.
 
Old 07-25-2006, 03:02 AM   #5
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
- yes whenever i use "sudo ./squid" there is no error. i receive the
"ready to serve requests."

- what do you mean by whitelist and blacklist? and how do i do that?
can you give more example pls.

-SBN-
 
Old 07-25-2006, 03:12 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
- yes whenever i use "sudo ./squid" there is no error. i receive the
"ready to serve requests."
weird, i'll wait for someone else to chime-in on that one, as i'm not sure what the deal is there...

Quote:
what do you mean by whitelist and blacklist? and how do i do that?
can you give more example pls.
whitelist is when you block everything and then allow certain exceptions... it's also known as "default deny"... blacklist is when you allow everything and then block certain exceptions... it's also known as "default permit"... the concepts apply to many different things, including squid's ACLs, iptables, etc, etc... the concept even applies in the non-technology world as you can imagine...

the example i provided for you is whitelist... it basically says:
Code:
# Create an ACL called "okaysites" with destination domains:
acl okaysites dstdomain google.com cnn.com slashdot.org

# Deny any connections which do NOT match the "okaysites" ACL:
http_access deny !okaysites
as you can see, the invert (!) came in handy here...

for more info and examples: http://www.google.com/search?q=squid+dstdomain

Last edited by win32sux; 07-25-2006 at 03:14 AM.
 
Old 07-25-2006, 03:15 AM   #7
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
Thanks a lot that really helps!
 
Old 07-25-2006, 03:21 AM   #8
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
ohh! one more question how can i make the tag deny_info work i cant make it work. i just want that an error message to appear to a clients browser stating that he has no internet access because he is not part of my network.
 
Old 07-25-2006, 05:04 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i've never used it, but after looking at squid.conf.default, i think it would go somethig like this:
Code:
acl mynetwork src 192.168.100.0/24
http_access allow mynetwork
deny_info ERR_SORRY_GUYS !mynetwork
http_access deny all
http_reply_access allow all
you've got a lot of other error pages to choose from (you can also make your own)...

on my box i have:
Code:
bash-3.00$ ls /usr/share/squid/errors/English/
ERR_ACCESS_DENIED            ERR_FTP_NOT_FOUND     ERR_ONLY_IF_CACHED_MISS
ERR_CACHE_ACCESS_DENIED      ERR_FTP_PUT_CREATED   ERR_READ_ERROR
ERR_CACHE_MGR_ACCESS_DENIED  ERR_FTP_PUT_ERROR     ERR_READ_TIMEOUT
ERR_CANNOT_FORWARD           ERR_FTP_PUT_MODIFIED  ERR_SHUTTING_DOWN
ERR_CONNECT_FAIL             ERR_FTP_UNAVAILABLE   ERR_SOCKET_FAILURE
ERR_DNS_FAIL                 ERR_INVALID_REQ       ERR_TOO_BIG
ERR_FORWARDING_DENIED        ERR_INVALID_RESP      ERR_UNSUP_REQ
ERR_FTP_DISABLED             ERR_INVALID_URL       ERR_URN_RESOLVE
ERR_FTP_FAILURE              ERR_LIFETIME_EXP      ERR_WRITE_ERROR
ERR_FTP_FORBIDDEN            ERR_NO_RELAY          ERR_ZERO_SIZE_OBJECT
my example above assumes you created a custom error page named ERR_SORRY_GUYS and placed it in there alongside the original squid error pages...

according to the squid.conf.default file you can also use URLs:
Quote:
# TAG: deny_info
# Usage: deny_info err_page_name acl
# or deny_info http://... acl
# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
#
# This can be used to return a ERR_ page for requests which
# do not pass the 'http_access' rules. A single ACL will cause
# the http_access check to fail. If a 'deny_info' line exists
# for that ACL Squid returns a corresponding error page.
#
# You may use ERR_ pages that come with Squid or create your own pages
# and put them into the configured errors/ directory.
#
# Alternatively you can specify an error URL. The browsers will
# get redirected (302) to the specified URL. %s in the redirection
# URL will be replaced by the requested URL.
#
# Alternatively you can tell Squid to reset the TCP connection
# by specifying TCP_RESET.
#
#Default:
# none
but like i said, i've never used deny_info so i'm not 100% sure if my example would work (although i don't see why not)...

i'd give you some better more complex examples but it's time for me to go to sleep... Zzzzzzzzzzzzzzzzzzzzzzzzzz...

http://www.google.com/search?q=squid+deny_info

Last edited by win32sux; 07-25-2006 at 05:13 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid configuration spsinghs Linux - Networking 1 03-02-2006 03:07 AM
Squid Configuration sajidmumtaz Linux - Networking 1 01-09-2006 09:03 AM
Squid: special configuration for remote Squid server hamish Linux - Software 0 12-06-2005 03:58 PM
squid configuration tuXfree Linux - Newbie 2 08-23-2005 03:27 PM
Squid Configuration accelicim_ho Linux - Software 2 03-26-2002 05:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration