Troy Piggins wrote:
* Amos Jeffries wrote :
Troy Piggins wrote:
Not sure if this is a squid or dnsmasq problem, so hope you don't
mind me asking same question in 2 lists.
I'm using squid3 as a transparent proxy by redirecting port 80
in iptables, and dnsmasq as well. This all works fine. But now
I'm trying to utilise the mvps hosts file to block malicious
URLs and am having trouble getting squid to recognise this hosts
file.
<snip />
But from a browser if I try to view a website listed in the mvps
hosts file, I don't get the blocked site message page, I get the
real (malicious) one.
IIUC squid should be reading /etc/resolv.conf for DNS? Mine is
nameserver 127.0.0.1
search isp.invalid
And so if it's using localhost and DNS, that's dnsmasq and the
mvps hosts file should come into play.
What am I missing?
Squid only loads the /etc/resolv.conf and /etc/hosts files. No other
special ones.
Understood, but I was assuming that since my /etc/resolv.conf
points to localhost as a nameserver and that nameserver uses the
mvps hosts file those entries would be used. Hmm...
Ah, yes that should work also. IFF its the only nameserver.
As an alternative, I've seen reference to using mvps entries
somehow in squid.conf acls or rules, but haven't found a good
explanation of /how/ to do this or examples. Any pointers there
if that's the better way to go?
From the Squid point of view...
Probably a custom external ACL processor. If the mvps format is simple
it should be relatively easy to construct.
The mvps hosts file looks exactly like /etc/hosts file format.
K. In that case the squid.conf option hosts_file should be usable for
squid without even needing the localhost resolver
http://www.squid-cache.org/Versions/v3/3.0/cfgman/hosts_file.html
The simplest way though, is to use a plain dstdomain ACL, possibly with
the entries in a file for easy management.
You then use the custom ACL helper, http_access, and deny_info URL to
provide the custom denial webpage for visitors.
http://www.squid-cache.org/Versions/v3/3.0/cfgman/external_acl_type.html
http://www.squid-cache.org/Versions/v3/3.0/cfgman/http_access.html
http://www.squid-cache.org/Versions/v3/3.0/cfgman/deny_info.html
Thankyou for those links. I'll look into it.
Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
