Search squid archive

RE: New Setup help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Current config 

http_port 192.168.31.3:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
 cache_dir ufs /var/spool/squid 1000 16 256
access_log /var/log/squid/access.log squid
dns_nameservers 192.168.31.11
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
acl good_url dstdomain "/etc/squid/allowed_sites.squid"
acl pnc_network src 192.168.31.0/255.255.255.0
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow good_url
http_access deny all
visible_hostname VIRT1
coredump_dir /var/spool/squid


[root@VIRT1 ~]# tail -12 /var/log/squid/access.log
1235431489.584      1 192.168.31.12 TCP_DENIED/403 1420 GET
http://mail.google.com/mail/channel/test? - NONE/- text/html
1235431489.599      0 192.168.31.12 TCP_DENIED/403 1434 GET
http://mail.google.com/mail/images/cleardot.gif? - NONE/- text/html
1235431513.168      0 192.168.31.12 TCP_DENIED/403 1382 GET
http://www.google.com/ - NONE/- text/html
1235431526.782      0 192.168.31.12 TCP_DENIED/403 1406 GET
http://www.americas-pet.store.com/ - NONE/- text/html
1235431547.499      0 192.168.31.12 TCP_DENIED/403 1450 GET
http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/-
text/html
1235431851.235      0 192.168.31.12 TCP_DENIED/403 1406 GET
http://www.americas-pet-store.com/ - NONE/- text/html
1235431851.577      0 192.168.31.12 TCP_DENIED/403 1428 GET
http://www.americas-pet-store.com/favicon.ico - NONE/- text/html
1235432020.747      2 192.168.31.12 TCP_DENIED/403 1406 GET
http://www.americas-pet-store.com/ - NONE/- text/html
1235432022.176      2 192.168.31.12 TCP_DENIED/403 1406 GET
http://www.americas-pet-store.com/ - NONE/- text/html
1235432030.656      4 192.168.31.12 TCP_DENIED/403 1450 GET
http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/-
text/html
1235432036.294      2 192.168.31.12 TCP_DENIED/403 1382 GET
http://www.google.com/ - NONE/- text/html
1235432087.084      2 192.168.31.12 TCP_DENIED/403 1382 GET
http://www.google.com/ - NONE/- text/html
[root@VIRT1 ~]#
-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] 
Sent: Monday, February 23, 2009 5:53 PM
To: Jim Lawrence
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re:  New Setup help

> Cisco1720 router --> 4 windows based servers 1 centos virtual server 1
> centos squid server.
> Client computers (8)
>
> Would like to have all web traffic blocked except websites defined in
a
> allowed_sites.squid config file.
> My squid.conf file
>
> Should my squid server have 2 network cards or can I leave it with the
one
> ?

One or two, it does not matter to the problem you currently have.

>
> +++++++
> [root@VIRT1 ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
> http_port 192.168.31.3:3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>  cache_dir ufs /var/spool/squid 1000 16 256
> access_log /var/log/squid/access.log squid
> dns_nameservers 192.168.31.11
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> acl good_url dstdomain "/etc/squid/allowed_sites.squid"
> acl pnc_network src 192.168.31.0/255.255.255.0
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

> http_access allow good_url

 * permits anyone who can contact your squid to connect to any of the
listed sites. Probably don't want that ...

 * Or maybe you intended to be a reverse-proxy/accelerator for internal
sites?
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator

To enact your stated "all web traffic blocked except websites defined in
a
allowed_sites.squid config file"

Add here:
  http_access deny all

drop the following http_access lines:

> http_access deny pnc_network
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> visible_hostname VIRT1
> coredump_dir /var/spool/squid
> ++++++++
>
>
>
> client's cannot access anything.

Is the content of "/etc/squid/allowed_sites.squid"
correctly formatted for dstdomain?

A list of domain names one per line with the following style:

 example.com  - matches only example.com domain.

 .example.com   - matches example.com and ALL *.example.com sub-domains.


Amos



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux