On Mon, 15 Feb 2010 14:23:12 -0600 (CST), Al - Image Hosting Services <azick@xxxxxxxxxxxxxxxxxxxx> wrote: > Hi, > > On Mon, 15 Feb 2010, Amos Jeffries wrote: >> On Sun, 14 Feb 2010 18:21:25 -0600 (CST), Al - Image Hosting Services >> <azick@xxxxxxxxxxxxxxxxxxxx> wrote: >>> Hi, >>> >>> I know that this is a little bit off topic for this list, but I asked on >> >>> the squidguard list and they said that I need to run 2 instances of >> squid. >>> I know that squid can listen on 2 ports very easily, and I have setup >>> squid to listen on 2 different ports. Port 8080 uses squidguard to >> filter, >>> but port 8081 doesn't. What I would really like to be able to do is to >>> have less restrictive filtering on port 8081. For example, I would like >> to >>> block youtube on port 8080, but not on port 8081. Still I would like to >> be >>> able to block porn on port 8081. Could someone give me some assistance >> on >>> how to do this or point me to a how to? >>> >>> Best Regards, >>> Al >> >> Use of the "myport" ACL type and url_rewrite_access to prevent things >> being sent to the squidguard re-writer. >> >> http://www.squid-cache.org/Doc/config/url_rewrite_access/ > > I should have explained that differently, so I will give it another try. > > This is what I have in my squid.conf now: > > acl custom-auth proxy_auth REQUIRED > acl mysite dstdomain .zickswebventures.com > acl portA myport 8080 > acl portB myport 8081 > url_rewrite_access allow portA > url_rewrite_program /bin/squidGuard -c /etc/squid/squidGuard.conf > url_rewrite_children 3 > http_access allow mysite > http_access allow custom-auth all > http_access deny all > > It works perfectly, requests sent to portA are filtered and requests that > are sent to portB are not, but I need to add sort of an intermediate level > of filtering. > > Solution 1: It looks like squidguard can filter based on IP. If I created > a portC in squid.conf, should I be able to add this to my squidguard.conf: > > src portC { > ip 0.0.0.0:8082 > } > > src portA { > ip 0.0.0.0:8080 > } > > My question is, does squid pass the port along with the IP address to > squidguard? If it does, then is my config wrong or does squidguard just > not know what to do with the port information? > Squid will never pass the IP "0.0.0.0" to squidguard. All IPs handled are routable. So I expect that will never patch properly. > Solution 2: Call 2 instances of squidguard with a different config. > Although, I don't know if this is possible without knowing more about how > squid passes information to squidguard. > > Solution 3: Create a blocklist within squid of maybe 5 to 30 sites, so my > squid.conf would like: > > acl custom-auth proxy_auth REQUIRED > acl mysite dstdomain .zickswebventures.com > acl block dstdomain .facebook.com .twitter.com > acl portA myport 8080 > acl portB myport 8081 > acl portB myport 8082 > > url_rewrite_access allow portA portB > url_rewrite_program /bin/squidGuard -c /etc/squid/squidGuard.conf > url_rewrite_children 3 > http_access allow mysite > http_access allow custom-auth all > http_access deny all > > Of course, the blank line is where I would need to tell squid to redirect > to the the zickswebvenutres.com/blocked.html if it sees a one of the urls > being blocked, but only on portA. Could this be done? You seem to misunderstand how ACL work. Read this: http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes Then consider this: url_rewrite_access allow portA url_rewrite_access allow portB !block url_rewrite_access deny all Or better yet do a real HTTP redirection by Squid instead: deny_info http://zickswebvenutres.com/blocked.html block http_access deny portA block Amos
