cosmo kramer wrote:
Hello,
I am having a problem with Squid allowing some
websites that are not
in any of our allow list. For example, I can get to
Nike.com, but there
is no such entry in any of my allow lists (not only
Nike.com, but
approximately 15-25% of websites I try that are not on
either of the
allow
lists). I have looked around the FAQ and Googled the
problem, but have
yet to find something similar.
Here are some specs/code:
##########################
# squid.conf #
##########################
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
## acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
## acl Safe_ports port 70 # gopher
## acl Safe_ports port 210 # wais
## acl Safe_ports port 1025-65535 # unregistered
ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
## acl Safe_ports port 591 # filemaker
## acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localnet proxy_auth REQUIRED src
xxx.xxx.xxx.xxx/16
acl proxy_a_users external win_domain_group
group_proxy_a
I don't see the external_acl_type definition here, but we'll go under
the assumption that you have it set up correctly. That could prove to
be unwise...
acl proxy_a_sites dstdom_regex [-i]
"c:/squid/lists/proxy_a_sites.txt"
I'd suggest you start by changing this ACL to one using dstdomain. The
"regular expressions" you are using are far too vague and regular
expressions should really be used sparingly. This SHOULDN'T be causing
the problem you describe, but it's just good practice.
acl proxy_b_users external win_domain_group
group_proxy_b
acl proxy_b_sites dstdom_regex [-i]
"c:/squid/lists/proxy_b_sites.txt"
http_access allow proxy_a_users proxy_a_sites
http_access allow proxy_b_users proxy_b_sites
http_access deny all
Is this ALL of your http_access lines? What you have shown does not
explain the results you are getting.
###############################
# proxy_a_sites.txt #
###############################
.yahoo.com
.lycos.com
.google.com
.altavista.com
.ask.com
Are these exhaustive lists? Perhaps there is some expression that
matches .nike.com (given that the periods are single point wild cards).
Again, using dstdomain ACLs would alleviate that possibility.
###############################
# proxy_b_sites.txt #
###############################
.toyota.com
.honda.com
.nissan.com
.gm.com
.chevy.com
.ford.com
###############################
# snippet from access.log #
###############################
1172074611.894 172 xxx.xxx.xxx.xxx TCP_MISS/200
5422 GET
http://www.nike.com/renov/common/js/utils.js;bsessionid=JCVEUIMR31NY0CQFTC2CF4YKAWMLSIZB
DOMAIN\username DIRECT/72.246.72.212
application/x-javascript
1172074612.081 0 xxx.xxx.xxx.xxx TCP_DENIED/407
1836 GET
http://www.nike.com/renov/common/js/utils.js - NONE/-
text/html
SNIP
Running Squid 2.6STABLE9 on a M$ box (long story).
The users appear
to authenticate correctly, and in a very limited way
Squid is
functioning. After reading, I cannot find a similar
case where Squid is
allowing
things that don't exist in a allow list, and with this
small of a test
ACL list/user group, I don't think it is an ACL
problem or confliction.
Any ideas or help would be greatly appreciated.
Thanks.
____________________________________________________________________________________
No need to miss a message. Get email on-the-go
with Yahoo! Mail for Mobile. Get started.
http://mobile.yahoo.com/mail
