On Sunday 09 December 2007 07:03:24 Amos Jeffries wrote: > dhottinger@xxxxxxxxxxxxxxxxxxxxxx wrote: > > Quoting ian j hart <ianjhart@xxxxxxxxxxxx>: > >> On Friday 07 December 2007 23:49:35 Amos Jeffries wrote: > >> > >> [Apologies in advance if I've miss-understood anything, it's late > >> (early) and > >> I'm somewhat brain dead. This time zone thing's a killer] > >> > >>> ian j hart wrote: > >>> > On Friday 07 December 2007 00:58:31 Adrian Chadd wrote: > >>> >> So if I get this right, you'd like to log the acl list that passed > >>> >> or failed the user? > >>> >> > >>> >> > >>> >> > >>> >> Adrian > >>> > > >>> > Near enough. > >>> > > >>> > I want to log the aclname (or custom error page name) and the > >>> > >>> username. > >>> > >>> > I'll probably want the url in short order, followed by anything > >>> > >>> else that > >>> > >>> > proves useful. > >>> > > >>> > I want to do this for users who are denied access. > >>> > > >>> > [The more general solution you state above would probably be okay > >>> > >>> too. I > >>> > >>> > might need to add DENY/ACCEPT so I can include that in the regexp.] > >>> > > >>> > <tangent> > >>> > Here's an example of how this might be generally useful. I have thee > >>> > different proxy ACLs. > >>> > > >>> > A url_regexp > >>> > A dstdomain list harvested from a popular list site > >>> > A "daily" list gleaned from yesterdays access summary > >>> > >>> Problem: > >>> If a student can get through all day today whats to stop them? > >> > >> Nothing. But here's what I hope will happen. (I probably shouldn't > >> reveal this, but what the hey). > > > > Ive missed most of this discussion. But it sounds like you may have > > gotten this to work. Is there a recap? Id really like to see your > > squid.conf (at least snippets that pertain to this). Are you running a > > transparent proxy? Do you run any kind of commercial filter? Ive been > > struggling with this same thing. Now I catch this through my snort > > logs, and looking at access_logs for denied hits. I also block quite a > > few sites at my firewall, but it is impossible to stop. I do seem to > > have more support from administration than you. > > Here be mine squid.conf entry: > > external_acl_type surbl_test ipv6 ttl=5 negative_ttl=5 %SRC %DST > /etc/squid6/helper/rhsbl.sh multi.surbl.org RHSBL > acl surbl_clean external surbl_test > deny_info > http://treenet.co.nz/errors/squid-404.php?RBL-SURBL-%m&err=%o&url=%s > surbl_clean > http_access deny all !surbl_clean > Okay, I'm having a look at this now. I'm using 2.6.17 on FreeBSD 6.2 (i386) No problem with %s. %o works in an error page but not as used above. %m doesn't seem to be documented. > > The helper is a little complex doing a DNSBL re-formatting and lookup > before returning OK/ERR to squid. > > FYI: SURBL is an anti-malware RHSBL which lists domains advertised in > Spam or known for malware distribution. > There is no reason particularly why the helper can't do a lookup > elsewhere for a locally built list via another medium. > > > Amos -- ian j hart