Or, alternatively, place "http_access allow localhost" *AFTER*
"http_access deny blockedlist"
That should do the trick, methinks.
Rgds.
[p]
Bharath Raghavendran wrote:
Were you testing it with a non-localhost client? The only line i can
see that can affect it is
"http_access allow localhost" .. which means localhost gets access
irrespective of the http_access directives that come after this one.
btw, although this is not related to the problem, you have
"http_access deny all" after "http_access deny blockedlist" ... which
means even if request isnt in blockedlist, yet it will be denied ...
which kind of makes blockedlist acl useless .. probably u didnt intend
that.
-Bharath
2009/4/6 Leslie Jensen <leslie@xxxxxxx>
Leslie Jensen wrote:
Hello
My Proxy, Squid-3.0.13 on FreeBSD 7.1-RELEASE-p4, is running fine but I
can't get the folowing to work.
# acl blocked_sites dstdomain .aftonbladet.se.
acl blocked_sites dstdomain "/usr/local/etc/squid/dstdomain"
deny_info ERR_ACCESS_DENIED blocked_sites
http_access deny blocked_sites
I've tried both to list the domain in squid.conf and in the file
"/usr/local/etc/squid/dstdomain"
None of the options seems to work, no blocking occours. If I put in the
complete path to the ERR_ACCESS_DENIED, I get an error when I do squid
-NCd1
I suspect that maybe the order of the acl's can affect but I need some
help to diagnose the problem.
Yes order is important. Squid processes http_access stop-down and first
match wins.
ERR_ACCESS_DENIED is the default page displayed for "http_access deny".
you don't have to specify its use.
Amos
--
Do I dare ask if someone will take a look at my conf file?
I think I'm going blind looking at my rules! I believe I've done it right,
but obviously I have not. I need the acl dstdomain to work and I can't see
where I'm wrong.
I'v tried to define only one domain and I've tried with a file with domain
names, none of them seem to work.
I've also considered the order of my rules but I can't get it to work.
Please help! Thanks
/Leslie
----------------- snip -----------------
# Squid listens on the loopback and on
# the internal interface (8080 port)
#
# If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port.
# This way Squid will only be visible on the internal address.
# transparent to work with PF
#
http_port 8080
# http_port 127.0.0.1:8080 transparent
# http_port 192.168.0.1:8080 transparent
#
# Words defined in this tag when matched in the URLs,
# directs squid not to query caches.
# For example dynamic content - php or asp pages.
#
hierarchy_stoplist cgi-bin ? php asp
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
#
# Specify the amount of RAM, to be used for caching the
# so called: In-Transit objects, Hot Objects,
# Negative-Cached objects.
#
cache_mem 1024 MB
#
# If a file size is less than - 1000 MB,
# squid will place it in cache
#
maximum_object_size 1000 MB
#
# Define the path to cache directory where all objects
# which are to be cached are stored:
# 102400 - is the amount of disk space (MB)
# to use under /usr/local/squid/cache directory
# 16 - is the number of first-level subdirectories
# which will be created under the
# /usr/local/squid/cache directory
# 256 - is the number of second-level
# subdirectories which will be created under
# each first-level directory
#
cache_dir ufs /usr/local/squid/cache 102400 16 256
#
# To disable, enter "none". There are not really
# utilities to analyze this data, so you can safely
# disable it.
#
cache_store_log none
#
# Log client request activities to the
# /usr/local/squid/logs/access.log file
# using the squid log format
#
access_log /usr/local/squid/logs/access.log squid
#
logfile_rotate 2
#
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#
# Define access control lists
# acl all is defined by default in version 3.0 STABLE
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
# Allow access from your local network.
# Don't write netmask 192.168.0.0/12 in 3.0STABLE
#
# RFC1918 internal network
#
acl localnet src 192.168.0.1-192.168.0.254
#
# Allow localnet access
#
http_access allow localnet
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
# acl Safe_ports port 70 # gopher
# acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
# acl Safe_ports port 280 # http-mgmt
# acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
# acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
#
# Allowing or Denying access based on defined access lists
# Recommended minimum configuration:
# Only allow cachemgr access from localhost
#
http_access allow manager localhost
http_access deny manager
#
# Only allow purge requests from localhost
#
http_access allow PURGE localhost
http_access deny PURGE
#
# Deny requests to unknown ports
#
http_access deny !Safe_ports
#
# Deny CONNECT to other than SSL ports
#
http_access deny CONNECT !SSL_ports
#
# Allow the localhost to have access by default
#
http_access allow localhost
#
# If we want to block certain sites.
#
# acl blockedsites dstdomain .aftonbladet.se.
acl blockedsites dstdomain .squid-cache.org
# acl blockedsites dstdomain "/usr/local/etc/squid/dstdomain"
#
# Show message when blocked
# deny_info ERR_ACCESS_DENIED blocked_sites
#
http_access deny blockedsites
#
# And deny all other access to this proxy
#
http_access deny all
#
#
# Allow ICP queries from local networks only
#
icp_access allow localnet
icp_access deny all
#
# Define the hostname that will be shown in
# error messages etc.
#
visible_hostname proxy1.somewhere.com
#
# Email-address of local cache manager who will receive
# mail if the cache dies.
#
cache_mgr john.doe@xxxxxxxxxxxxx
#
# Speed up the writing of some log files
#
buffered_logs on
#
coredump_dir /usr/local/squid/cache
#
----------------- snip -----------------
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
*Pandu E Poluan*
*Panin Sekuritas*
IT Manager / Operations & Audit
Phone : +62-21-515-3055 ext 135
Fax : +62-21-515-3061
Mobile : +62-856-8400-426
e-mail : pandu_poluan@xxxxxxxxxxxxxxxxxxxx
<mailto:pandu_poluan@xxxxxxxxxxxxxxxxxxxx>
Y!M : hands0me_irc
MSN : si-ganteng@xxxxxxxx
GTalk : pandu.cakep@xxxxxxxxx
