Here is the config for my acls: acl all src 0/0 acl minha_rede src x.x.x.x/24 (My LAN IP's) acl lan_bloqueada src "/etc/squid/int_blocked_ips.acl" acl lan_liberada src "/etc/squid/int_permit_ips.acl" acl bad_strings url_regex -i "/etc/squid/bad_strings.acl" acl bad_ips dst "/etc/squid/bad_ips.acl" acl bad_sites dstdomain "/etc/squid/bad_sites.acl" acl bad_files urlpath_regex "/etc/squid/bad_files.acl" acl good_strings url_regex -i "/etc/squid/good_strings.acl" acl good_sites dstdomain "/etc/squid/permitted.acl" acl unproductive dstdomain "/etc/squid/unproductive.acl" acl unprod_strings url_regex -i "/etc/squid/unprod_strings.acl" acl trabalho time MTWHF 12:00-13:30 acl nao_trabalho time SA acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl ssl_ports port 443 563 acl CONNECT method CONNECT acl safe_ports port 80 # http acl safe_ports port 21 # ftp acl safe_ports port 443 # https acl safe_ports port 563 # snews acl safe_ports port 70 # gopher acl safe_ports port 210 # wais acl safe_ports port 1025-65535 # unregistered ports acl safe_ports port 280 # http-mgmt acl safe_ports port 488 # gss-http acl safe_ports port 591 # filemaker acl safe_ports port 777 # multiling http And here is the order of the ACL's #http_access deny lan_bloqueada http_access deny bad_sites !good_sites http_access deny bad_strings !good_strings http_access deny bad_ips http_access deny bad_files #http_access deny trabalho !nao_trabalho unproductive #http_access deny trabalho !nao_trabalho unprod_strings http_access deny CONNECT !ssl_ports http_access allow safe_ports http_access allow manager localhost http_access deny manager http_access allow minha_rede http_access deny all The place where I put orkut to be blocked is in the bad_sites acl. Thank you. ----- Original Message ----- From: "Chris Robertson" <crobertson@xxxxxxx> To: "Squid" <squid-users@xxxxxxxxxxxxxxx> Sent: Monday, October 16, 2006 7:21 PM Subject: Re: Blocking Orkut (https problem) Palula Brasil wrote: > Hi everybody! > > I'm having some problems and would like to know if it is possible to block > Orkut connections using https? > > This is what's happening. Orkut is being blocked during the working hours, > but it can be bypassed using the https procedure. When connecting to Orkut, > squid blocks the site. But by changing the URL, http://www.orkut.com to > https://www.orkut.com, users are being able to access the site. > > My question is? Is there a way to block this procedure, If we can block > connections from either port 80 or port 443 (I think) this problem would be > resolved right? > > Thank you. > > The order of http_access lines is supremely important, as are the ACLs being used. To the best of my knowledge, a url_regex won't work on a HTTPS connection, as the URL being requested is encrypted. Using a dstdomain ACL would not have this problem. Chris
