Why yes it was thank you ! -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Monday, February 23, 2009 9:47 PM To: Jim Lawrence Cc: Amos Jeffries; squid-users@xxxxxxxxxxxxxxx Subject: RE: New Setup help > cat /etc/squid/allowed_sites.squid > *.americas-pet-store.com > *.petfrenzy.com > *.google.com > [root@VIRT1 ~]# There is the problem. the '*' is not a proper part of domain names. Just begin the partial domains with a '.' Amos > > I did a service squid restart > And for good measure service squid reload > > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Monday, February 23, 2009 8:45 PM > To: Jim Lawrence > Cc: Amos Jeffries; squid-users@xxxxxxxxxxxxxxx > Subject: RE: New Setup help > >> Current config >> >> http_port 192.168.31.3:3128 >> hierarchy_stoplist cgi-bin ? >> acl QUERY urlpath_regex cgi-bin \? >> cache deny QUERY >> acl apache rep_header Server ^Apache >> broken_vary_encoding allow apache >> cache_dir ufs /var/spool/squid 1000 16 256 >> access_log /var/log/squid/access.log squid >> dns_nameservers 192.168.31.11 >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern . 0 20% 4320 >> acl all src 0.0.0.0/0.0.0.0 >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl to_localhost dst 127.0.0.0/8 >> acl SSL_ports port 443 >> acl CONNECT method CONNECT >> acl good_url dstdomain "/etc/squid/allowed_sites.squid" >> acl pnc_network src 192.168.31.0/255.255.255.0 >> http_access allow manager localhost >> http_access deny manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow good_url >> http_access deny all >> visible_hostname VIRT1 >> coredump_dir /var/spool/squid >> >> >> [root@VIRT1 ~]# tail -12 /var/log/squid/access.log >> 1235431489.584 1 192.168.31.12 TCP_DENIED/403 1420 GET >> http://mail.google.com/mail/channel/test? - NONE/- text/html >> 1235431489.599 0 192.168.31.12 TCP_DENIED/403 1434 GET >> http://mail.google.com/mail/images/cleardot.gif? - NONE/- text/html >> 1235431513.168 0 192.168.31.12 TCP_DENIED/403 1382 GET >> http://www.google.com/ - NONE/- text/html >> 1235431526.782 0 192.168.31.12 TCP_DENIED/403 1406 GET >> http://www.americas-pet.store.com/ - NONE/- text/html >> 1235431547.499 0 192.168.31.12 TCP_DENIED/403 1450 GET >> http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/- >> text/html >> 1235431851.235 0 192.168.31.12 TCP_DENIED/403 1406 GET >> http://www.americas-pet-store.com/ - NONE/- text/html >> 1235431851.577 0 192.168.31.12 TCP_DENIED/403 1428 GET >> http://www.americas-pet-store.com/favicon.ico - NONE/- text/html >> 1235432020.747 2 192.168.31.12 TCP_DENIED/403 1406 GET >> http://www.americas-pet-store.com/ - NONE/- text/html >> 1235432022.176 2 192.168.31.12 TCP_DENIED/403 1406 GET >> http://www.americas-pet-store.com/ - NONE/- text/html >> 1235432030.656 4 192.168.31.12 TCP_DENIED/403 1450 GET >> http://wiki.squid-cache.org/KnowledgeBase/DebugSections? - NONE/- >> text/html >> 1235432036.294 2 192.168.31.12 TCP_DENIED/403 1382 GET >> http://www.google.com/ - NONE/- text/html >> 1235432087.084 2 192.168.31.12 TCP_DENIED/403 1382 GET >> http://www.google.com/ - NONE/- text/html >> [root@VIRT1 ~]# > > > Assuming you remembered to -k reconfigure squid. > That leaves the question: > are any of these actually listed in your allowed_sites.squid file? > > mail.google.com > www.google.com > .google.com > www.americas-pet-store.com > .americas-pet-store.com > .com > wiki.squid-cache.org > .squid-cache.org > .org > > > Amos > >> -----Original Message----- >> From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] >> Sent: Monday, February 23, 2009 5:53 PM >> To: Jim Lawrence >> Cc: squid-users@xxxxxxxxxxxxxxx >> Subject: Re: New Setup help >> >>> Cisco1720 router --> 4 windows based servers 1 centos virtual server > 1 >>> centos squid server. >>> Client computers (8) >>> >>> Would like to have all web traffic blocked except websites defined in >> a >>> allowed_sites.squid config file. >>> My squid.conf file >>> >>> Should my squid server have 2 network cards or can I leave it with > the >> one >>> ? >> >> One or two, it does not matter to the problem you currently have. >> >>> >>> +++++++ >>> [root@VIRT1 ~]# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d' >>> http_port 192.168.31.3:3128 >>> hierarchy_stoplist cgi-bin ? >>> acl QUERY urlpath_regex cgi-bin \? >>> cache deny QUERY >>> acl apache rep_header Server ^Apache >>> broken_vary_encoding allow apache >>> cache_dir ufs /var/spool/squid 1000 16 256 >>> access_log /var/log/squid/access.log squid >>> dns_nameservers 192.168.31.11 >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern . 0 20% 4320 >>> acl all src 0.0.0.0/0.0.0.0 >>> acl manager proto cache_object >>> acl localhost src 127.0.0.1/255.255.255.255 >>> acl to_localhost dst 127.0.0.0/8 >>> acl SSL_ports port 443 >>> acl CONNECT method CONNECT >>> acl good_url dstdomain "/etc/squid/allowed_sites.squid" >>> acl pnc_network src 192.168.31.0/255.255.255.0 >>> http_access allow manager localhost >>> http_access deny manager >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >> >>> http_access allow good_url >> >> * permits anyone who can contact your squid to connect to any of the >> listed sites. Probably don't want that ... >> >> * Or maybe you intended to be a reverse-proxy/accelerator for > internal >> sites? >> http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator >> >> To enact your stated "all web traffic blocked except websites defined > in >> a >> allowed_sites.squid config file" >> >> Add here: >> http_access deny all >> >> drop the following http_access lines: >> >>> http_access deny pnc_network >>> http_access allow localhost >>> http_access deny all >>> http_reply_access allow all >>> icp_access allow all >>> visible_hostname VIRT1 >>> coredump_dir /var/spool/squid >>> ++++++++ >>> >>> >>> >>> client's cannot access anything. >> >> Is the content of "/etc/squid/allowed_sites.squid" >> correctly formatted for dstdomain? >> >> A list of domain names one per line with the following style: >> >> example.com - matches only example.com domain. >> >> .example.com - matches example.com and ALL *.example.com > sub-domains. >> >> >> Amos >> >> > > >
