Can someone lend a hand in on how ACLs are processed in squid? I have my squid server up and running, but when I try and add in some group membership validation, things start going wrong. It's almost certain that I've the ACLs set incorrectly, as i'm not 100 percent on how the rules are handled/processed by squid. As you'll see from the cachelog, squid is refusing the GET command. e.g "The request GET http://www.google.ie/ is DENIED, because it matched 'all'" I can't figure out why this is happening. I'm trying to set-up the rules for the following conditions: * If a user is a member of the "allowedUsers" - they can use the proxy provided the site url is not in my blockedurls list or the content they are trying to download is not one of the restricted file extensions. * The second condition is an "unrestrictedUsers" group, which allows a users (who is part of the group) to bypass all restrictions put in place for the "allowedUsers" many thanks, Paul D.
# SQUID CONF FILE - UPDATED BY PAULD 04/12/2005 http_port 8080 icp_port 0 cache_peer x.x.x.x parent 80 7 no-query default hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? acl QUERY1 urlpath_regex aspx \? acl QUERY2 urlpath_regex asp \? no_cache deny QUERY no_cache deny QUERY1 no_cache deny QUERY2 cache_mem 100 MB cache_dir ufs /var/cache/squid 500 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none ftp_user anonymous@xxxxxxxx refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #=========Authentication Bit========================== auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 15 auth_param basic realm Squid Proxy Server auth_param basic credentialsttl 2 hours #==========Use AD Domain groups for ACLsv=============== external_acl_type ad_group ttl=0 concurrency=5 %LOGIN /usr/local/squid/libexec/wbinfo_group.pl #==========ACCESS CONTROLS=============================== acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports_ftp port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl CONNECT method CONNECT acl allowedurls url_regex "/etc/squid/okurls" acl blockedurls url_regex "/etc/squid/badurls" acl allowedUsers external ad_group InternetAllowed acl unrestrictedUsers external ad_group InternetBypass acl Authenticated proxy_auth REQUIRED #==file extensions that we don't allow acl nora1 urlpath_regex \.rm$ acl nora2 urlpath_regex \.r1$ acl nora3 urlpath_regex \.ram$ acl nora4 urlpath_regex \.rm acl nomp2 urlpath_regex \.mp2 acl nomp3 urlpath_regex \.mp3 acl nomp2 urlpath_regex \.MP2 acl nomp2 urlpath_regex \.MP3 acl nowma urlpath_regex \.wma acl nowmv urlpath_regex \.wmv acl nompg1 urlpath_regex \.mpg$ acl nompg2 urlpath_regex \.mpeg$ acl nompg3 urlpath_regex \.mpe$ acl noqt urlpath_regex \.mov$ acl noavi urlpath_regex \.avi$ acl noexe urlpath_regex \.exe acl noexe urlpath_regex \.EXE http_access allow manager localhost http_access allow localhost http_access allow allowedurls allowedUsers http_access allow unrestrictedUsers http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny blockedurls http_access deny !Authenticated #==== Now to block those file extensions http_access deny noexe http_access deny nomp2 http_access deny nomp3 http_access deny nowma http_access deny nowmv http_access deny nompg1 http_access deny nompg2 http_access deny nompg3 http_access deny noavi http_access deny noqt http_access deny all http_reply_access allow all icp_access allow all mail_from squid@xxxxxxxx mail_program mail cache_effective_user squid cache_effective_group squid append_domain .blah.com never_direct allow all coredump_dir /var/cache/squid #note 33,2 lets you see which acl allowed or denied debug_options ALL,1 33,2
2006/01/19 11:49:22| Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu... 2006/01/19 11:49:22| Process ID 5050 2006/01/19 11:49:22| With 1024 file descriptors available 2006/01/19 11:49:22| Performing DNS Tests... 2006/01/19 11:49:22| Successful DNS name lookup tests... 2006/01/19 11:49:22| DNS Socket created at 0.0.0.0, port 32776, FD 5 2006/01/19 11:49:22| Adding nameserver 192.168.125.2 from /etc/resolv.conf 2006/01/19 11:49:22| Adding nameserver 192.168.125.7 from /etc/resolv.conf 2006/01/19 11:49:22| helperStatefulOpenServers: Starting 15 'ntlm_auth' processes 2006/01/19 11:49:22| helperOpenServers: Starting 15 'ntlm_auth' processes 2006/01/19 11:49:23| helperOpenServers: Starting 5 'wbinfo_group.pl' processes 2006/01/19 11:49:23| Unlinkd pipe opened on FD 45 2006/01/19 11:49:23| Swap maxSize 512000 KB, estimated 39384 objects 2006/01/19 11:49:23| Target number of buckets: 1969 2006/01/19 11:49:23| Using 8192 Store buckets 2006/01/19 11:49:23| Max Mem size: 102400 KB 2006/01/19 11:49:23| Max Swap size: 512000 KB 2006/01/19 11:49:23| Store logging disabled 2006/01/19 11:49:23| Rebuilding storage in /var/cache/squid (DIRTY) 2006/01/19 11:49:23| Using Least Load store dir selection 2006/01/19 11:49:23| Set Current Directory to /var/cache/squid 2006/01/19 11:49:23| Loaded Icons. 2006/01/19 11:49:23| Accepting HTTP connections at 0.0.0.0, port 8080, FD 46. 2006/01/19 11:49:23| Accepting SNMP messages on port 3401, FD 47. 2006/01/19 11:49:23| WCCP Disabled. 2006/01/19 11:49:23| Ready to serve requests. 2006/01/19 11:49:23| Done reading /var/cache/squid swaplog (1107 entries) 2006/01/19 11:49:23| Finished rebuilding storage from disk. 2006/01/19 11:49:23| 1106 Entries scanned 2006/01/19 11:49:23| 0 Invalid entries. 2006/01/19 11:49:23| 0 With invalid flags. 2006/01/19 11:49:23| 1106 Objects loaded. 2006/01/19 11:49:23| 0 Objects expired. 2006/01/19 11:49:23| 0 Objects cancelled. 2006/01/19 11:49:23| 1 Duplicate URLs purged. 2006/01/19 11:49:23| 0 Swapfile clashes avoided. 2006/01/19 11:49:23| Took 0.3 seconds (4056.2 objects/sec). 2006/01/19 11:49:23| Beginning Validation Procedure 2006/01/19 11:49:23| Completed Validation Procedure 2006/01/19 11:49:23| Validated 1105 Entries 2006/01/19 11:49:23| store_swap_size = 9180k 2006/01/19 11:49:24| storeLateRelease: released 0 objects 2006/01/19 11:49:37| The request GET http://www.google.ie/ is DENIED, because it matched 'unrestrictedUsers' 2006/01/19 11:49:37| The request GET http://www.google.ie/ is DENIED, because it matched 'unrestrictedUsers' 2006/01/19 11:49:37| The request GET http://www.google.ie/ is DENIED, because it matched 'all' 2006/01/19 11:49:37| The request GET http://www.google.ie/favicon.ico is DENIED, because it matched 'all' 2006/01/19 11:49:37| The request GET http://www.google.ie/favicon.ico is DENIED, because it matched 'all' 2006/01/19 11:49:37| The request GET http://www.google.ie/favicon.ico is DENIED, because it matched 'all' 2006/01/19 16:01:22| The request GET http://www.google.ie/ is DENIED, because it matched 'unrestrictedUsers' 2006/01/19 16:01:22| The request GET http://www.google.ie/ is DENIED, because it matched 'unrestrictedUsers' 2006/01/19 16:01:22| The request GET http://www.google.ie/ is DENIED, because it matched 'all' 2006/01/19 16:02:33| The request GET http://www.google.ie/ is DENIED, because it matched 'unrestrictedUsers' 2006/01/19 16:02:33| The request GET http://www.google.ie/ is DENIED, because it matched 'unrestrictedUsers' 2006/01/19 16:02:33| The request GET http://www.google.ie/ is DENIED, because it matched 'all' 2006/01/19 16:02:40| The request GET http://www.google.ie/ is DENIED, because it matched 'all' 2006/01/19 16:16:46| Starting Squid Cache version 2.5.STABLE12 for i686-pc-linux-gnu... 2006/01/19 16:16:46| Process ID 5129 2006/01/19 16:16:46| With 1024 file descriptors available 2006/01/19 16:16:46| Performing DNS Tests... 2006/01/19 16:16:46| Successful DNS name lookup tests... 2006/01/19 16:16:46| DNS Socket created at 0.0.0.0, port 32779, FD 5 2006/01/19 16:16:46| Adding nameserver 192.168.125.2 from /etc/resolv.conf 2006/01/19 16:16:46| Adding nameserver 192.168.125.7 from /etc/resolv.conf 2006/01/19 16:16:46| helperStatefulOpenServers: Starting 15 'ntlm_auth' processes 2006/01/19 16:16:47| helperOpenServers: Starting 15 'ntlm_auth' processes 2006/01/19 16:16:47| helperOpenServers: Starting 5 'wbinfo_group.pl' processes 2006/01/19 16:16:47| Unlinkd pipe opened on FD 45 2006/01/19 16:16:47| Swap maxSize 512000 KB, estimated 39384 objects 2006/01/19 16:16:47| Target number of buckets: 1969 2006/01/19 16:16:47| Using 8192 Store buckets 2006/01/19 16:16:47| Max Mem size: 102400 KB 2006/01/19 16:16:47| Max Swap size: 512000 KB 2006/01/19 16:16:47| Store logging disabled 2006/01/19 16:16:47| Rebuilding storage in /var/cache/squid (DIRTY) 2006/01/19 16:16:47| Using Least Load store dir selection 2006/01/19 16:16:47| Set Current Directory to /var/cache/squid 2006/01/19 16:16:47| Loaded Icons. 2006/01/19 16:16:47| Accepting HTTP connections at 0.0.0.0, port 8080, FD 46. 2006/01/19 16:16:47| Accepting SNMP messages on port 3401, FD 47. 2006/01/19 16:16:47| WCCP Disabled. 2006/01/19 16:16:47| Ready to serve requests. 2006/01/19 16:16:48| Done reading /var/cache/squid swaplog (1107 entries) 2006/01/19 16:16:48| Finished rebuilding storage from disk. 2006/01/19 16:16:48| 1106 Entries scanned 2006/01/19 16:16:48| 0 Invalid entries. 2006/01/19 16:16:48| 0 With invalid flags. 2006/01/19 16:16:48| 1106 Objects loaded. 2006/01/19 16:16:48| 0 Objects expired. 2006/01/19 16:16:48| 0 Objects cancelled. 2006/01/19 16:16:48| 1 Duplicate URLs purged. 2006/01/19 16:16:48| 0 Swapfile clashes avoided. 2006/01/19 16:16:48| Took 0.3 seconds (3852.8 objects/sec). 2006/01/19 16:16:48| Beginning Validation Procedure 2006/01/19 16:16:48| Completed Validation Procedure 2006/01/19 16:16:48| Validated 1105 Entries 2006/01/19 16:16:48| store_swap_size = 9180k 2006/01/19 16:16:49| storeLateRelease: released 0 objects 2006/01/19 16:16:49| The request GET http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=pad is DENIED, because it matched 'unrestrictedUsers' 2006/01/19 16:16:49| The request GET http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=pad is DENIED, because it matched 'unrestrictedUsers' 2006/01/19 16:16:49| The request GET http://www1.euro.dell.com/content/default.aspx?c=ie&l=en&s=pad is DENIED, because it matched 'all' 2006/01/19 16:23:56| The request GET http://support.euro.dell.com/support/downloads/devices.aspx?c=uk&l=en&s=lca&SystemID=LAT_PNT_P3_C400&os=WW1&osl=EN is DENIED, because it matched 'allowedUsers' 2006/01/19 16:23:56| The request GET http://support.euro.dell.com/support/downloads/devices.aspx?c=uk&l=en&s=lca&SystemID=LAT_PNT_P3_C400&os=WW1&osl=EN is DENIED, because it matched 'allowedUsers' 2006/01/19 16:23:56| The request GET http://support.euro.dell.com/support/downloads/devices.aspx?c=uk&l=en&s=lca&SystemID=LAT_PNT_P3_C400&os=WW1&osl=EN is DENIED, because it matched 'all' 2006/01/19 16:24:05| The request GET http://support.euro.dell.com/support/downloads/devices.aspx? is DENIED, because it matched 'all' 2006/01/19 16:24:07| The request GET http://support.euro.dell.com/support/downloads/devices.aspx? is DENIED, because it matched 'all'
