Re: ACL configuration

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Никоноров Григорий wrote:
> Hello, Amos
>
> I install the latest version of squid3 from backports (unfortunately
> i cant find my problem in squid3 bugs ...)
> dpkg --list |grep squid3
> ii  squid3                              3.0.STABLE19-1~bpo50+1   A full featured Web Proxy cache (HTTP proxy)
> ii  squid3-common                       3.0.STABLE19-1~bpo50+1   A full featured Web Proxy cache (HTTP proxy) - common files
>
> I also delete two lines about QUERY...
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
>
> ...and modified my refresh_patters accordingly your advice
> refresh_pattern \.doc$          0       20%     4320
> refresh_pattern \.zip$          0       20%     4320
> refresh_pattern \.exe$          0       20%     4320
> refresh_pattern \.rar$          0       20%     4320
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> I upload my squid.conf for "easy to read" purpose in pastebay.com
> http://pastebay.com/94291 (no virus guys...only my squid.conf :)
>
> p.s. regex replacement on dstdomain not helped
>
> You wrote 19 апреля 2010 г., 13:47:21:
> > Никоноров Григорий wrote:
> > > Hi,
> > >
> > > After  the upgrade from 2.7 to 3.0.STABLE8-3 + lenny3 squid stop block
> > > prohibited sites. 
>
> > IMO grab the official backport package from 
> > http://www.backports.org/debian/pool/main/s/squid3/ if you can.
>
> > > My Squid3 conf:
> > > acl ADMIN proxy_auth "/etc/squid3/users/users.admin"
> > > acl bad_site url_regex -i  "/etc/squid3/bad_site.acl"
> > >
> > > bad_site.acl:
> > > vkontakte\.ru
> > > odnoklassniki\.ru
> > > pagewash\.com
> > > vk\.com
>
> > Hmm. Regardless of your squid version those are far better off being 
> > configured as a "dstdomain" ACL type. Regex is Slooooowww.
>
> >    acl bad_site dstdomain "/etc/squid3/bad_site.acl"
>
> >   bad_site.acl:
> >    .vkontakte.ru
> >    .odnoklassniki.ru
> >    .pagewash.com
> >    .vk.com
>
> > > http_access allow manager localhost
> > > http_access deny manager
> > > http_access deny !Safe_ports
> > > http_access allow ADMIN !bad_site
> > > acl QUERY urlpath_regex cgi-bin \?
> > > no_cache deny QUERY
>
> > The above two lines about QUERY are no longer very useful.
>
> > Remove them and make sure your *final* two refresh_patterns lines match
> > the new defaults for squid-3.x:
>
> >    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> >    refresh_pattern .  0 20% 4320
>
>
> > > http_access deny all
> > >
> > >
> > > 192.168.164.111 - user from group ADMIN
> > >
> > > Access log:
> > > 1271418317.455    103 192.168.164.111 TCP_MISS/302 494 GET http://vkontakte.ru/id000000 user DIRECT/93.186.231.220 text/html
> > > 1271418317.536     71 192.168.164.111 TCP_MISS/200 3767 GET http://vkontakte.ru/login.php? user DIRECT/93.186.231.220 text/html
> > > 1271418317.665      5 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/xhead2.gif user DIRECT/93.186.231.220 -
> > > 1271418317.669      9 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/header_yellow.gif user DIRECT/93.186.231.222 -
> > > 1271418317.674     15 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/header_divider.gif user DIRECT/93.186.231.221 -
> > > 1271418317.690     35 192.168.164.111 TCP_MISS/304 483 GET http://www.tns-counter.ru/V13a***R>*vkontakte_ru/ru/CP1251/tmsec=vkontakte_total/ user DIRECT/217.73.200.219 -
> > > 1271418317.714     55 192.168.164.111 TCP_MISS/200 386 GET http://counter.yadro.ru/hit? user DIRECT/88.212.196.77 image/gif
> > > 1271418321.434     82 192.168.164.111 TCP_MISS/200 5360 GET http://vk.com/ user DIRECT/93.186.231.221 text/html
> > > 1271418321.476    124 192.168.164.111 TCP_MISS/200 719 GET http://sitecheck2.opera.com/? user DIRECT/91.203.99.45 text/xml
> > > 1271418322.588     34 192.168.164.111 TCP_MISS/304 483 GET http://www.tns-counter.ru/V13a***R>*vkontakte_ru/ru/CP1251/tmsec=vkontakte_total/ user DIRECT/217.73.200.220 -
> > > 1271418322.608     54 192.168.164.111 TCP_MISS/200 386 GET http://counter.yadro.ru/hit? user DIRECT/88.212.196.101 image/gif
> > > 1271418324.221   1670 192.168.164.111 TCP_MISS/200 6368 CONNECT certs.opera.com:443 user DIRECT/91.203.99.57 -
> > > 1271418324.358     69 192.168.164.111 TCP_MISS/200 738 GET http://login.vk.com/? user DIRECT/93.186.229.129 text/html
> > > 1271418324.433     56 192.168.164.111 TCP_MISS/200 617 POST http://vk.com/login.php? user DIRECT/93.186.231.222 text/html
>
>
> > I can't see any reason why those requests might go through. Is there any
> > additional http_access configuration anywhere?
>
> > If not, try with the backports package and see if it goes away.
>
> > Amos

Wading through that config I find the very first http_access:

 acl ncsa_users proxy_auth REQUIRED
 http_access allow ncsa_users

... any user with a valid login has unlimited access through your server.

 The http_access rules following that line apply only to non-logged in 
users.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.1