cat /etc/squid/allowed_sites.squid *.americas-pet-store.com *.petfrenzy.com *.google.com [root@VIRT1 ~]# I did a service squid restart And for good measure service squid reload -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Monday, February 23, 2009 8:45 PM To: Jim Lawrence Cc: Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Subject: RE: New Setup help > Current config > > http_port 192.168.31.3:3128 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > cache_dir ufs /var/spool/squid 1000 16 256 > access_log /var/log/squid/access.log squid > dns_nameservers 192.168.31.11 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern . 0 20% 4320 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl CONNECT method CONNECT > acl good_url dstdomain "/etc/squid/allowed_sites.squid" > acl pnc_network src 192.168.31.0/255.255.255.0 > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow good_url > http_access deny all > visible_hostname VIRT1 > coredump_dir /var/spool/squid > > > [root@VIRT1 ~]# tail -12 /var/log/squid/access.log > 1235431489.584 1 192.168.31.12 TCP_DENIED/403 1420 GET > http://mail.google.com/mail/channel/test? - NONE/- text/html > 1235431489.599 0 192.168.31.12 TCP_DENIED/403 1434 GET > http://mail.google.com/mail/images/cleardot.gif? - NONE/- text/html > 1235431513.168 0 192.168.31.12 TCP_DENIED/403 1382 GET > http://www.google.com/ - NONE/- text/html > 1235431526.782 0 192.168.31.12 TCP_DENIED/403 1406 GET > http://www.americas-pet.store.com/ - NONE/- text/html > 1235431547.499 0 192.168.31.12 TCP_DENIED/403 1450 GET > http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/- > text/html > 1235431851.235 0 192.168.31.12 TCP_DENIED/403 1406 GET > http://www.americas-pet-store.com/ - NONE/- text/html > 1235431851.577 0 192.168.31.12 TCP_DENIED/403 1428 GET > http://www.americas-pet-store.com/favicon.ico - NONE/- text/html > 1235432020.747 2 192.168.31.12 TCP_DENIED/403 1406 GET > http://www.americas-pet-store.com/ - NONE/- text/html > 1235432022.176 2 192.168.31.12 TCP_DENIED/403 1406 GET > http://www.americas-pet-store.com/ - NONE/- text/html > 1235432030.656 4 192.168.31.12 TCP_DENIED/403 1450 GET > http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/- > text/html > 1235432036.294 2 192.168.31.12 TCP_DENIED/403 1382 GET > http://www.google.com/ - NONE/- text/html > 1235432087.084 2 192.168.31.12 TCP_DENIED/403 1382 GET > http://www.google.com/ - NONE/- text/html > [root@VIRT1 ~]# Assuming you remembered to -k reconfigure squid. That leaves the question: are any of these actually listed in your allowed_sites.squid file? mail.google.com www.google.com .google.com www.americas-pet-store.com .americas-pet-store.com .com wiki.squid-cache.org .squid-cache.org .org Amos > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Monday, February 23, 2009 5:53 PM > To: Jim Lawrence > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: New Setup help > >> Cisco1720 router --> 4 windows based servers 1 centos virtual server 1 >> centos squid server. >> Client computers (8) >> >> Would like to have all web traffic blocked except websites defined in > a >> allowed_sites.squid config file. >> My squid.conf file >> >> Should my squid server have 2 network cards or can I leave it with the > one >> ? > > One or two, it does not matter to the problem you currently have. > >> >> +++++++ >> [root@VIRT1 ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d' >> http_port 192.168.31.3:3128 >> hierarchy_stoplist cgi-bin ? >> acl QUERY urlpath_regex cgi-bin \? >> cache deny QUERY >> acl apache rep_header Server ^Apache >> broken_vary_encoding allow apache >> cache_dir ufs /var/spool/squid 1000 16 256 >> access_log /var/log/squid/access.log squid >> dns_nameservers 192.168.31.11 >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern . 0 20% 4320 >> acl all src 0.0.0.0/0.0.0.0 >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl to_localhost dst 127.0.0.0/8 >> acl SSL_ports port 443 >> acl CONNECT method CONNECT >> acl good_url dstdomain "/etc/squid/allowed_sites.squid" >> acl pnc_network src 192.168.31.0/255.255.255.0 >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports > >> http_access allow good_url > > * permits anyone who can contact your squid to connect to any of the > listed sites. Probably don't want that ... > > * Or maybe you intended to be a reverse-proxy/accelerator for internal > sites? > http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator > > To enact your stated "all web traffic blocked except websites defined in > a > allowed_sites.squid config file" > > Add here: > http_access deny all > > drop the following http_access lines: > >> http_access deny pnc_network >> http_access allow localhost >> http_access deny all >> http_reply_access allow all >> icp_access allow all >> visible_hostname VIRT1 >> coredump_dir /var/spool/squid >> ++++++++ >> >> >> >> client's cannot access anything. > > Is the content of "/etc/squid/allowed_sites.squid" > correctly formatted for dstdomain? > > A list of domain names one per line with the following style: > > example.com - matches only example.com domain. > > .example.com - matches example.com and ALL *.example.com sub-domains. > > > Amos > >
