Search squid archive

Re: Squid3 on ubuntu 10.4 problem using acl whitelist in external file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 24 May 2010 11:44:06 -0700 (PDT), MM Gillon <margaretgi@xxxxxxxxx>
wrote:
> First I am new at working with networks. Most of the IT staff were
> downsized last year including the administrator. I am a database
> programmer. I like ubuntu and have an ubuntu database server. I am
trying
> to use an ubuntu server as a squid proxy so that Windows workstations on
a
> manufacturing floor can only go to company web sites on a whitelist. I
am
> manually configuring the workstations to go to this proxy server. Squid3
> loads okay without error messages. I know it is seeing the whitelist.txt
> file because I get an error if the file is not present. However SQUID
will
> not allow any addresses to load even those in the white list. Below is
my
> squid.conf and my whitelist.txt file. The message in the Squid log is
> below. The message on the browser screen confirms that squid is blocking
> the address. I tried the same software and configuration on ubuntu 8.04
and
> had the same issues. Thank you. 
> 

I know it is a bit late and you already have a working solution.
But here is my 2c on your config...

> 
> 1274724540.610    193 192.168.100.9 TCP_DENIED/403 2710 GET
> http://www.unicef.org/ - NONE/- text/html
> 
> 
> 
> #whitelist.txt
> .gov
> .sheepguardingllama.com
> .org
> .chromalloy.com
> 
> #squid.conf
> #Recommended minimum configuration:
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 192.168.100.0/255.255.255.0,
192.168.101.0/255.255.255.0

comma in the above is not valid squid.conf syntax. And CIDR is preferred.
That line should be:
  acl localnet src 192.168.100.0/24 192.168.101.0/24

> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> 
> acl CONNECT method CONNECT
> 
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> 
> http_access deny to_localhost
> icp_access deny all
> htcp_access deny all
> 
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid3/access.log squid
> 
> #We recommend you to use the following two lines.
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

The above QUERY lines are now obsolete. Use the refresh_pattern mentioned
below.

> 
> #Suggested default:
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440

Add this pattern right here in the sequence:

  refresh_pattern -i (/cgi-bin/|\?) 0 0 % 0

> refresh_pattern .        0    20%    4320
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid3
> 
> acl whitelist dstdomain "/etc/squid3/whitelist.txt"
> 
> http_access deny !localnet
> http_access deny !whitelist
> http_access deny all

Alternative to the way you have now:

 # Allow localnet machines to whitelisted sites
 http_access allow localnet whitelist

 # block all other access
 http_access deny all


This is a better alternative to just "http_access allow whitelist" which
would permit external people to visit the whitelisted sites as well as
internal machines.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux