Hello, I am having a problem with Squid allowing some websites that are not in any of our allow list. For example, I can get to Nike.com, but there is no such entry in any of my allow lists (not only Nike.com, but approximately 15-25% of websites I try that are not on either of the allow lists). I have looked around the FAQ and Googled the problem, but have yet to find something similar. Here are some specs/code: ########################## # squid.conf # ########################## acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http ## acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https ## acl Safe_ports port 70 # gopher ## acl Safe_ports port 210 # wais ## acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http ## acl Safe_ports port 591 # filemaker ## acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl localnet proxy_auth REQUIRED src xxx.xxx.xxx.xxx/16 acl proxy_a_users external win_domain_group group_proxy_a acl proxy_a_sites dstdom_regex [-i] "c:/squid/lists/proxy_a_sites.txt" acl proxy_b_users external win_domain_group group_proxy_b acl proxy_b_sites dstdom_regex [-i] "c:/squid/lists/proxy_b_sites.txt" http_access allow proxy_a_users proxy_a_sites http_access allow proxy_b_users proxy_b_sites http_access deny all ############################### # proxy_a_sites.txt # ############################### .yahoo.com .lycos.com .google.com .altavista.com .ask.com ############################### # proxy_b_sites.txt # ############################### .toyota.com .honda.com .nissan.com .gm.com .chevy.com .ford.com ############################### # snippet from access.log # ############################### 1172074611.894 172 xxx.xxx.xxx.xxx TCP_MISS/200 5422 GET http://www.nike.com/renov/common/js/utils.js;bsessionid=JCVEUIMR31NY0CQFTC2CF4YKAWMLSIZB DOMAIN\username DIRECT/72.246.72.212 application/x-javascript 1172074612.081 0 xxx.xxx.xxx.xxx TCP_DENIED/407 1836 GET http://www.nike.com/renov/common/js/utils.js - NONE/- text/html 1172074612.081 187 xxx.xxx.xxx.xxx TCP_MISS/200 3169 GET http://www.nike.com/renov/nikeshell/common/v2/web/history.html? DOMAIN\username DIRECT/72.246.72.212 text/html 1172074612.097 16 xxx.xxx.xxx.xxx TCP_DENIED/407 2058 GET http://www.nike.com/renov/common/js/utils.js - NONE/- text/html 1172074612.097 453 xxx.xxx.xxx.xxx TCP_MISS/200 6157 CONNECT urs.microsoft.com:443 DOMAIN\username DIRECT/65.55.195.252 - 1172074612.284 359 xxx.xxx.xxx.xxx TCP_MISS/200 1935 GET http://www.nike.com/renov/nikeshell/common/v2/web/main.html DOMAIN\username DIRECT/72.246.72.212 text/html 1172074612.347 250 xxx.xxx.xxx.xxx TCP_MISS/200 5421 GET http://www.nike.com/renov/common/js/utils.js DOMAIN\username DIRECT/72.246.72.212 application/x-javascript 1172074612.363 579 xxx.xxx.xxx.xxx TCP_MISS/200 6167 CONNECT urs.microsoft.com:443 DOMAIN\username DIRECT/65.55.195.252 - 1172074612.738 329 xxx.xxx.xxx.xxx TCP_MISS/200 7267 GET http://www.nike.com/renov/common/js/swfobject.js DOMAIN\username DIRECT/72.246.72.212 application/x-javascript 1172074612.753 390 xxx.xxx.xxx.xxx TCP_MISS/200 13481 GET http://www.nike.com/renov/nikeshell/common/v2/web/javascriptflashgateway/javascriptflashgateway.js DOMAIN\username DIRECT/72.246.72.212 application/x-javascript 1172074612.925 172 xxx.xxx.xxx.xxx TCP_MISS/200 724 GET http://www.nike.com/renov/common/metrics/bluestreak.js DOMAIN\username DIRECT/72.246.72.212 application/x-javascript 1172074612.941 172 xxx.xxx.xxx.xxx TCP_MISS/200 2330 GET http://www.nike.com/renov/nikeshell/common/v2/web/javascriptflashgateway/javascriptflashgateway.swf DOMAIN\username DIRECT/72.246.72.212 application/x-shockwave-flash 1172074614.300 1359 xxx.xxx.xxx.xxx TCP_MISS/200 100033 GET http://www.nike.com/renov/nikeshell/common/v2/web/framework.swf DOMAIN\username DIRECT/72.246.72.212 application/x-shockwave-flash 1172074614.566 266 xxx.xxx.xxx.xxx TCP_MISS/200 4272 GET http://www.nike.com/favicon.ico DOMAIN\username DIRECT/72.246.72.212 text/plain 1172074614.691 250 xxx.xxx.xxx.xxx TCP_MISS/200 5856 GET http://fpdownload.macromedia.com/pub/flashplayer/update/current/swf/autoUpdater.swf? DOMAIN\username DIRECT/72.246.90.70 application/x-shockwave-flash 1172074614.831 140 xxx.xxx.xxx.xxx TCP_MISS/200 457 GET http://fpdownload.macromedia.com/get/flashplayer/update/current/xml/express/version_win_ax.xml? DOMAIN\username DIRECT/72.246.90.70 text/xml 1172074615.128 0 xxx.xxx.xxx.xxx TCP_DENIED/407 1770 CONNECT www.macromedia.com:443 - NONE/- text/html 1172074615.144 16 xxx.xxx.xxx.xxx TCP_DENIED/407 1992 CONNECT www.macromedia.com:443 - NONE/- text/html 1172074621.878 0 xxx.xxx.xxx.xxx TCP_DENIED/407 1791 CONNECT fpdownload.macromedia.com:443 - NONE/- text/html 1172074621.894 0 xxx.xxx.xxx.xxx TCP_DENIED/407 2013 CONNECT fpdownload.macromedia.com:443 - NONE/- text/html 1172074645.191 157 xxx.xxx.xxx.xxx TCP_MISS/200 688 GET http://www.nike.com/services/yellowPageService.xml? DOMAIN\username DIRECT/72.246.72.212 text/xml Running Squid 2.6STABLE9 on a M$ box (long story). The users appear to authenticate correctly, and in a very limited way Squid is functioning. After reading, I cannot find a similar case where Squid is allowing things that don't exist in a allow list, and with this small of a test ACL list/user group, I don't think it is an ACL problem or confliction. Any ideas or help would be greatly appreciated. Thanks. ____________________________________________________________________________________ No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail
