Were you testing it with a non-localhost client? The only line i can see that can affect it is "http_access allow localhost" .. which means localhost gets access irrespective of the http_access directives that come after this one. btw, although this is not related to the problem, you have "http_access deny all" after "http_access deny blockedlist" ... which means even if request isnt in blockedlist, yet it will be denied ... which kind of makes blockedlist acl useless .. probably u didnt intend that. -Bharath 2009/4/6 Leslie Jensen <leslie@xxxxxxx> > > > > Leslie Jensen wrote: > >> Hello > >> > >> My Proxy, Squid-3.0.13 on FreeBSD 7.1-RELEASE-p4, is running fine but I > can't get the folowing to work. > >> > >> # acl blocked_sites dstdomain .aftonbladet.se. > >> acl blocked_sites dstdomain "/usr/local/etc/squid/dstdomain" > deny_info ERR_ACCESS_DENIED blocked_sites > >> > >> http_access deny blocked_sites > >> > >> I've tried both to list the domain in squid.conf and in the file > "/usr/local/etc/squid/dstdomain" > >> > >> None of the options seems to work, no blocking occours. If I put in the > complete path to the ERR_ACCESS_DENIED, I get an error when I do squid > -NCd1 > >> > >> I suspect that maybe the order of the acl's can affect but I need some > help to diagnose the problem. > > > > Yes order is important. Squid processes http_access stop-down and first > match wins. > > > > ERR_ACCESS_DENIED is the default page displayed for "http_access deny". > you don't have to specify its use. > > > > Amos > > -- > > Do I dare ask if someone will take a look at my conf file? > > I think I'm going blind looking at my rules! I believe I've done it right, > but obviously I have not. I need the acl dstdomain to work and I can't see > where I'm wrong. > > I'v tried to define only one domain and I've tried with a file with domain > names, none of them seem to work. > > I've also considered the order of my rules but I can't get it to work. > > Please help! Thanks > > /Leslie > > > ----------------- snip ----------------- > # Squid listens on the loopback and on > # the internal interface (8080 port) > # > # If you run Squid on a dual-homed machine with an internal > # and an external interface we recommend you to specify the > # internal address:port in http_port. > # This way Squid will only be visible on the internal address. > # transparent to work with PF > # > http_port 8080 > # http_port 127.0.0.1:8080 transparent > # http_port 192.168.0.1:8080 transparent > # > # Words defined in this tag when matched in the URLs, > # directs squid not to query caches. > # For example dynamic content - php or asp pages. > # > hierarchy_stoplist cgi-bin ? php asp > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > # > # Specify the amount of RAM, to be used for caching the > # so called: In-Transit objects, Hot Objects, > # Negative-Cached objects. > # > cache_mem 1024 MB > # > # If a file size is less than - 1000 MB, > # squid will place it in cache > # > maximum_object_size 1000 MB > # > # Define the path to cache directory where all objects > # which are to be cached are stored: > # 102400 - is the amount of disk space (MB) > # to use under /usr/local/squid/cache directory > # 16 - is the number of first-level subdirectories > # which will be created under the > # /usr/local/squid/cache directory > # 256 - is the number of second-level > # subdirectories which will be created under > # each first-level directory > # > cache_dir ufs /usr/local/squid/cache 102400 16 256 > # > # To disable, enter "none". There are not really > # utilities to analyze this data, so you can safely > # disable it. > # > cache_store_log none > # > # Log client request activities to the > # /usr/local/squid/logs/access.log file > # using the squid log format > # > access_log /usr/local/squid/logs/access.log squid > # > logfile_rotate 2 > # > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > # > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern (cgi-bin|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > # > # Define access control lists > # acl all is defined by default in version 3.0 STABLE > # > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > # > # Allow access from your local network. > # Don't write netmask 192.168.0.0/12 in 3.0STABLE > # > # RFC1918 internal network > # > acl localnet src 192.168.0.1-192.168.0.254 > # > # Allow localnet access > # > http_access allow localnet > # > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > # acl Safe_ports port 70 # gopher > # acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > # acl Safe_ports port 280 # http-mgmt > # acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > # acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl PURGE method PURGE > # > # Allowing or Denying access based on defined access lists > # Recommended minimum configuration: > # Only allow cachemgr access from localhost > # > http_access allow manager localhost > http_access deny manager > # > # Only allow purge requests from localhost > # > http_access allow PURGE localhost > http_access deny PURGE > # > # Deny requests to unknown ports > # > http_access deny !Safe_ports > # > # Deny CONNECT to other than SSL ports > # > http_access deny CONNECT !SSL_ports > # > # Allow the localhost to have access by default > # > http_access allow localhost > # > # If we want to block certain sites. > # > # acl blockedsites dstdomain .aftonbladet.se. > acl blockedsites dstdomain .squid-cache.org > # acl blockedsites dstdomain "/usr/local/etc/squid/dstdomain" > # > # Show message when blocked > # deny_info ERR_ACCESS_DENIED blocked_sites > # > http_access deny blockedsites > # > # And deny all other access to this proxy > # > http_access deny all > # > # > # Allow ICP queries from local networks only > # > icp_access allow localnet > icp_access deny all > # > # Define the hostname that will be shown in > # error messages etc. > # > visible_hostname proxy1.somewhere.com > # > # Email-address of local cache manager who will receive > # mail if the cache dies. > # > cache_mgr john.doe@xxxxxxxxxxxxx > # > # Speed up the writing of some log files > # > buffered_logs on > # > coredump_dir /usr/local/squid/cache > # > > ----------------- snip ----------------- > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. >
