> Shelton, may be the tag > http_access allow our_network > should go after and not before (or may be you don't need it at all) > http_access denied custom_denied_domains dst > "etc/squid/denied_domains.acl" > > > hope to be helpful. > i'm a beginner. > Regards, > Felix Lazaro Carbonell >> Site filtering issue > >> I am having issues with filtering of my websites. I have setup squid >> 2.6.STABLE17 over a Fedora 8 machine. Below is my squid.conf file. >> Squid seems to log all sites that are going out from other stations >> but does not filter and of the sites. They all go through. >> My denied_domains.acl has >> .youtube.com >> .hotmail.com >> .live.com >> But these sites don't seem to get blocked out. I had also issues this >> command thinking that it was to do with Iptables >> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to >> 192.168.1.1:3128 >> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT >> --to-port 3128 > >> Initially squid wouldn't work; everything would be blocked so I >> disable the firewall which allowed access. SO I put a custom allow to >> port 3128 which opened it up but to all sites. > >> -------------- >> squid.conf >> -------------- >> visible_hostname vanderpolgroup > >> http_port 3128 > >> maximum_object_size 32768 KB >> maximum_object_size_in_memory 128 KB > >> cache_mem 256 MB >> cache_dir ufs /var/spool/squid 70000 32 512 > >> cache_access_log /var/log/squid/access.log >> cache_log /var/log/squid/cache.log > >> acl all src 0.0.0.0/0.0.0.0 >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl our_network src 192.168.10.0/24 >> acl to_localhost dst 127.0.0.0/8 > >> acl SSL_ports port 443 # SSL >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl Safe_ports port 563 70 >> acl CONNECT method CONNECT > > >> acl custom_allowed_domains dstdomain "/etc/squid/allowed_domains.acl" >> acl custom_denied_domains dstdomain "/etc/squid/denied_domains.acl" > >> acl ads_blacklist dstdom_regex "/etc/squid/blacklist/ads/domains" >> acl aggressive_blacklist dstdom_regex >> "/etc/squid/blacklist/aggressive/domains" >> acl audio-video_blacklist dstdom_regex >> "/etc/squid/blacklist/audio-video/domains" >> acl drugs_blacklist dstdom_regex "/etc/squid/blacklist/drugs/domains" >> acl gambling_blacklist dstdom_regex >> "/etc/squid/blacklist/gambling/domains" >> acl hacking_blacklist dstdom_regex >> "/etc/squid/blacklist/hacking/domains" >> acl mail_blacklist dstdom_regex "/etc/squid/blacklist/mail/domains" >> acl porn_blacklist dstdom_regex "/etc/squid/blacklist/porn/domains" >> acl proxy_blacklist dstdom_regex "/etc/squid/blacklist/proxy/domains" >> acl redirector_blacklist dstdom_regex >> "/etc/squid/blacklist/redirector/domains" >> acl spyware_blacklist dstdom_regex >> "/etc/squid/blacklist/spyware/domains" >> acl suspect_blacklist dstdom_regex >> "/etc/squid/blacklist/suspect/domains" >> acl violence_blacklist dstdom_regex >> "/etc/squid/blacklist/violence/domains" >> acl warez_blacklist dstdom_regex "/etc/squid/blacklist/warez/domains" >> acl networking_blacklist dstdom_regex >> "/etc/squid/blacklist/networking/domains" Please go through those lists carefully and consider if you actually for-real need the regex. 'dstdomain' can take whole domains or wildcard sub-domains and is VERY much more efficient than any regex. > >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow our_network >> http_access deny all None of the http_access lines after this will ever match. 'deny all' does exactly what it sounds like. You want 'deny all' to be the very last http_access config line. And the 'allow our_network' should probably join it at the end. Perhapse with a 'deny !our_network' left here to speed up denial of external connection attempts. >> icp_access allow all >> #miss_access allow all > >> http_access allow custom_allowed_domains >> http_access deny custom_denied_domains > >> http_access deny ads_blacklist >> http_access deny aggressive_blacklist >> http_access deny audio-video_blacklist >> http_access deny drugs_blacklist >> http_access deny gambling_blacklist >> http_access deny hacking_blacklist >> http_access deny mail_blacklist >> http_access deny porn_blacklist >> http_access deny proxy_blacklist >> http_access deny redirector_blacklist >> http_access deny spyware_blacklist >> http_access deny suspect_blacklist >> http_access deny violence_blacklist >> http_access deny warez_blacklist >> http_access deny networking_blacklist > >> cache_mgr abc@xxxxxxx > > >> Thanks >> Sheldon > > > > > >
