On Mon, 24 May 2010 11:44:06 -0700 (PDT), MM Gillon <margaretgi@xxxxxxxxx> wrote: > First I am new at working with networks. Most of the IT staff were > downsized last year including the administrator. I am a database > programmer. I like ubuntu and have an ubuntu database server. I am trying > to use an ubuntu server as a squid proxy so that Windows workstations on a > manufacturing floor can only go to company web sites on a whitelist. I am > manually configuring the workstations to go to this proxy server. Squid3 > loads okay without error messages. I know it is seeing the whitelist.txt > file because I get an error if the file is not present. However SQUID will > not allow any addresses to load even those in the white list. Below is my > squid.conf and my whitelist.txt file. The message in the Squid log is > below. The message on the browser screen confirms that squid is blocking > the address. I tried the same software and configuration on ubuntu 8.04 and > had the same issues. Thank you. > I know it is a bit late and you already have a working solution. But here is my 2c on your config... > > 1274724540.610 193 192.168.100.9 TCP_DENIED/403 2710 GET > http://www.unicef.org/ - NONE/- text/html > > > > #whitelist.txt > .gov > .sheepguardingllama.com > .org > .chromalloy.com > > #squid.conf > #Recommended minimum configuration: > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl localnet src 192.168.100.0/255.255.255.0, 192.168.101.0/255.255.255.0 comma in the above is not valid squid.conf syntax. And CIDR is preferred. That line should be: acl localnet src 192.168.100.0/24 192.168.101.0/24 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > > http_access deny to_localhost > icp_access deny all > htcp_access deny all > > http_port 3128 > hierarchy_stoplist cgi-bin ? > access_log /var/log/squid3/access.log squid > > #We recommend you to use the following two lines. > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY The above QUERY lines are now obsolete. Use the refresh_pattern mentioned below. > > #Suggested default: > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 Add this pattern right here in the sequence: refresh_pattern -i (/cgi-bin/|\?) 0 0 % 0 > refresh_pattern . 0 20% 4320 > # Leave coredumps in the first cache dir > coredump_dir /var/spool/squid3 > > acl whitelist dstdomain "/etc/squid3/whitelist.txt" > > http_access deny !localnet > http_access deny !whitelist > http_access deny all Alternative to the way you have now: # Allow localnet machines to whitelisted sites http_access allow localnet whitelist # block all other access http_access deny all This is a better alternative to just "http_access allow whitelist" which would permit external people to visit the whitelisted sites as well as internal machines. Amos