Search squid archive

RE: New Setup help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



cat /etc/squid/allowed_sites.squid
*.americas-pet-store.com
*.petfrenzy.com
*.google.com
[root@VIRT1 ~]#

I did a service squid restart 
And for good measure  service squid reload

-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] 
Sent: Monday, February 23, 2009 8:45 PM
To: Jim Lawrence
Cc: Amos Jeffries; squid-users@xxxxxxxxxxxxxxx
Subject: RE:  New Setup help

> Current config
>
> http_port 192.168.31.3:3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>  cache_dir ufs /var/spool/squid 1000 16 256
> access_log /var/log/squid/access.log squid
> dns_nameservers 192.168.31.11
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> acl good_url dstdomain "/etc/squid/allowed_sites.squid"
> acl pnc_network src 192.168.31.0/255.255.255.0
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow good_url
> http_access deny all
> visible_hostname VIRT1
> coredump_dir /var/spool/squid
>
>
> [root@VIRT1 ~]# tail -12 /var/log/squid/access.log
> 1235431489.584      1 192.168.31.12 TCP_DENIED/403 1420 GET
> http://mail.google.com/mail/channel/test? - NONE/- text/html
> 1235431489.599      0 192.168.31.12 TCP_DENIED/403 1434 GET
> http://mail.google.com/mail/images/cleardot.gif? - NONE/- text/html
> 1235431513.168      0 192.168.31.12 TCP_DENIED/403 1382 GET
> http://www.google.com/ - NONE/- text/html
> 1235431526.782      0 192.168.31.12 TCP_DENIED/403 1406 GET
> http://www.americas-pet.store.com/ - NONE/- text/html
> 1235431547.499      0 192.168.31.12 TCP_DENIED/403 1450 GET
> http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/-
> text/html
> 1235431851.235      0 192.168.31.12 TCP_DENIED/403 1406 GET
> http://www.americas-pet-store.com/ - NONE/- text/html
> 1235431851.577      0 192.168.31.12 TCP_DENIED/403 1428 GET
> http://www.americas-pet-store.com/favicon.ico - NONE/- text/html
> 1235432020.747      2 192.168.31.12 TCP_DENIED/403 1406 GET
> http://www.americas-pet-store.com/ - NONE/- text/html
> 1235432022.176      2 192.168.31.12 TCP_DENIED/403 1406 GET
> http://www.americas-pet-store.com/ - NONE/- text/html
> 1235432030.656      4 192.168.31.12 TCP_DENIED/403 1450 GET
> http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/-
> text/html
> 1235432036.294      2 192.168.31.12 TCP_DENIED/403 1382 GET
> http://www.google.com/ - NONE/- text/html
> 1235432087.084      2 192.168.31.12 TCP_DENIED/403 1382 GET
> http://www.google.com/ - NONE/- text/html
> [root@VIRT1 ~]#


Assuming you remembered to -k reconfigure squid.
That leaves the question:
 are any of these actually listed in your allowed_sites.squid file?

mail.google.com
www.google.com
.google.com
www.americas-pet-store.com
.americas-pet-store.com
.com
wiki.squid-cache.org
.squid-cache.org
.org


Amos

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
> Sent: Monday, February 23, 2009 5:53 PM
> To: Jim Lawrence
> Cc: squid-users@xxxxxxxxxxxxxxx
> Subject: Re:  New Setup help
>
>> Cisco1720 router --> 4 windows based servers 1 centos virtual server
1
>> centos squid server.
>> Client computers (8)
>>
>> Would like to have all web traffic blocked except websites defined in
> a
>> allowed_sites.squid config file.
>> My squid.conf file
>>
>> Should my squid server have 2 network cards or can I leave it with
the
> one
>> ?
>
> One or two, it does not matter to the problem you currently have.
>
>>
>> +++++++
>> [root@VIRT1 ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
>> http_port 192.168.31.3:3128
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> cache deny QUERY
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>>  cache_dir ufs /var/spool/squid 1000 16 256
>> access_log /var/log/squid/access.log squid
>> dns_nameservers 192.168.31.11
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern .               0       20%     4320
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443
>> acl CONNECT method CONNECT
>> acl good_url dstdomain "/etc/squid/allowed_sites.squid"
>> acl pnc_network src 192.168.31.0/255.255.255.0
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>
>> http_access allow good_url
>
>  * permits anyone who can contact your squid to connect to any of the
> listed sites. Probably don't want that ...
>
>  * Or maybe you intended to be a reverse-proxy/accelerator for
internal
> sites?
> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
>
> To enact your stated "all web traffic blocked except websites defined
in
> a
> allowed_sites.squid config file"
>
> Add here:
>   http_access deny all
>
> drop the following http_access lines:
>
>> http_access deny pnc_network
>> http_access allow localhost
>> http_access deny all
>> http_reply_access allow all
>> icp_access allow all
>> visible_hostname VIRT1
>> coredump_dir /var/spool/squid
>> ++++++++
>>
>>
>>
>> client's cannot access anything.
>
> Is the content of "/etc/squid/allowed_sites.squid"
> correctly formatted for dstdomain?
>
> A list of domain names one per line with the following style:
>
>  example.com  - matches only example.com domain.
>
>  .example.com   - matches example.com and ALL *.example.com
sub-domains.
>
>
> Amos
>
>




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux