Current config http_port 192.168.31.3:3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_dir ufs /var/spool/squid 1000 16 256 access_log /var/log/squid/access.log squid dns_nameservers 192.168.31.11 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl CONNECT method CONNECT acl good_url dstdomain "/etc/squid/allowed_sites.squid" acl pnc_network src 192.168.31.0/255.255.255.0 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow good_url http_access deny all visible_hostname VIRT1 coredump_dir /var/spool/squid [root@VIRT1 ~]# tail -12 /var/log/squid/access.log 1235431489.584 1 192.168.31.12 TCP_DENIED/403 1420 GET http://mail.google.com/mail/channel/test? - NONE/- text/html 1235431489.599 0 192.168.31.12 TCP_DENIED/403 1434 GET http://mail.google.com/mail/images/cleardot.gif? - NONE/- text/html 1235431513.168 0 192.168.31.12 TCP_DENIED/403 1382 GET http://www.google.com/ - NONE/- text/html 1235431526.782 0 192.168.31.12 TCP_DENIED/403 1406 GET http://www.americas-pet.store.com/ - NONE/- text/html 1235431547.499 0 192.168.31.12 TCP_DENIED/403 1450 GET http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/- text/html 1235431851.235 0 192.168.31.12 TCP_DENIED/403 1406 GET http://www.americas-pet-store.com/ - NONE/- text/html 1235431851.577 0 192.168.31.12 TCP_DENIED/403 1428 GET http://www.americas-pet-store.com/favicon.ico - NONE/- text/html 1235432020.747 2 192.168.31.12 TCP_DENIED/403 1406 GET http://www.americas-pet-store.com/ - NONE/- text/html 1235432022.176 2 192.168.31.12 TCP_DENIED/403 1406 GET http://www.americas-pet-store.com/ - NONE/- text/html 1235432030.656 4 192.168.31.12 TCP_DENIED/403 1450 GET http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/- text/html 1235432036.294 2 192.168.31.12 TCP_DENIED/403 1382 GET http://www.google.com/ - NONE/- text/html 1235432087.084 2 192.168.31.12 TCP_DENIED/403 1382 GET http://www.google.com/ - NONE/- text/html [root@VIRT1 ~]# -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Monday, February 23, 2009 5:53 PM To: Jim Lawrence Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: New Setup help > Cisco1720 router --> 4 windows based servers 1 centos virtual server 1 > centos squid server. > Client computers (8) > > Would like to have all web traffic blocked except websites defined in a > allowed_sites.squid config file. > My squid.conf file > > Should my squid server have 2 network cards or can I leave it with the one > ? One or two, it does not matter to the problem you currently have. > > +++++++ > [root@VIRT1 ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d' > http_port 192.168.31.3:3128 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > cache_dir ufs /var/spool/squid 1000 16 256 > access_log /var/log/squid/access.log squid > dns_nameservers 192.168.31.11 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl CONNECT method CONNECT > acl good_url dstdomain "/etc/squid/allowed_sites.squid" > acl pnc_network src 192.168.31.0/255.255.255.0 > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow good_url * permits anyone who can contact your squid to connect to any of the listed sites. Probably don't want that ... * Or maybe you intended to be a reverse-proxy/accelerator for internal sites? http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator To enact your stated "all web traffic blocked except websites defined in a allowed_sites.squid config file" Add here: http_access deny all drop the following http_access lines: > http_access deny pnc_network > http_access allow localhost > http_access deny all > http_reply_access allow all > icp_access allow all > visible_hostname VIRT1 > coredump_dir /var/spool/squid > ++++++++ > > > > client's cannot access anything. Is the content of "/etc/squid/allowed_sites.squid" correctly formatted for dstdomain? A list of domain names one per line with the following style: example.com - matches only example.com domain. .example.com - matches example.com and ALL *.example.com sub-domains. Amos