Re: Problem in allowing only selected https sites and denying all others !!!

[Chris Robertson <crobertson@xxxxxxx>]

Shiva Raman wrote:
> Hi
>
> I am using Centos 5, Squid Cache: Version 2.6.STABLE6 and
> my local lan network is 192.168.10.0/24. More than 150 users
> are concurrently accessing the squid proxy server.
>
> Following is my requirement
>
> 1) Access to all  http sites
> 2) Access to only selected https sites like redhat.com ,paypal.com
> and all  other https sites should be denied .
>
> Following is my squid.conf
> ----------------------------
>
>
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> access_log /var/log/squid/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports  port 443          # https
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl our_networks src 192.168.10.0/24 192.168.20.0/24
> acl myhttps dstdomain .redhat.com
> http_access allow our_networks
>   

This is your first match, and access is allowed.  Move this line just 
above the "http_access deny all" and remove the "http_access deny 
our_networks", and you'll be set.

> http_access deny our_networks  SSL_ports !myhttps
> http_access deny  our_networks
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname myoffice
> coredump_dir /var/spool/squid
>
>
> ----------------------------------
>
>
> From the above configuration, the problem i am facing here is that all
> the https sites are accessible to the users.
> even if i had allowed only 'myhttps' . Is it possible to block
> specific https sites as per my requirement?
>
> Also Is  it neccesary to define prot 443 in both SSL_ports as well as
> Safe_ports?
>   

For the best security, yes.  Safe_ports allows connecting in general (or 
more accurately doesn't deny the connection) to the specified ports, 
SSL_Ports specifically allows (doesn't disallow) CONNECT (which is what 
browsers use to pass SSL traffic through a proxy.

> When i remove 443 from Safe_ports, i am not able to access any https sites.
>   

As the connection is denied by the line "http_access deny !Safe_ports".

> Thanks for any help
>
> Regards
>
> Shiva Raman .
> SysAdmin
>   

For what it's worth, the FAQ section on ACLs 
(http://wiki.squid-cache.org/SquidFaq/SquidAcl) is quite readable.

Chris