Re-doing since my earlier mail seems to have gone astray.
Apologies if you get this twice.
On 27/10/10 01:12, Marc Muehlfeld wrote:
Hello,
I have blocked some URLs through an url_regex acl, which works, if the
URL contains any protocol execept https.
The "blocked_urls.lst" file contains lines like:
([^\/]\.facebook\.com\/|[^\/]\.facebook\.com$|^.*://facebook\.com)+
I've tested the regex using an online regex tester:
"http://www.facebook.com"; and "https://www.facebook.com"; both match. But
the https address can be reached, so I think, there must be a problem in
my configuration (see below).
It does not match because the required URL details are not sent with HTTPS.
Also, regex is the second slowest ACL type possible in Squid. I've
outlines some steps you can make to improve the situation below...
(One of the side effects of the performance config is that it matches
both HTTP and HTTPS).
I use 2.6.STABLE21 on CentOS 5.
Regards,
Marc
# Define networks "all" and "localhost"
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
No need for netmask format:
acl all src all
acl localhost src 127.0.0.1
# Default ports we allow
acl Safe_ports port 21
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 8080
# Deny requests to unknown ports
http_access deny !Safe_ports
# Only allow cachemgr access from localhost
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager
# Deny CONNECT to other than SSL ports
acl SSL_ports port 443
acl SSL_ports port 8443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
Good. Sort of.
NP: port 8443 is not listed as one of the Safe_ports. It will be blocked
before this lines gets to allow it.
The fix is to either:
1) drop "acl SSL_ports port 8443"
or
2) add "acl Safe_ports port 8443"
# Block access from all IPs to URLs out of this file
acl blocked_urls url_regex "/etc/squid/blocked_urls.lst"
deny_info ERR_BLOCKED_PRIVATE blocked_urls
http_access deny all blocked_urls
Okay. As I said above regex is the second slowest ACL type in Squid.
(beaten only by external helpers which may take a long time to respond).
It's a 6-step process to fix:
Step 1) *remove* all entries from "blocked_urls.lst" meant to match
domain-only or IP-only. Add them instead to a dstdomain ACL. lets call
it "A"
Step 2) add a new http_access deny line using the new step-1 ACL before
the "blocked_urls" line.
Step 3) *copy* any domains or IPs which are left in the
"blocked_urls.lst" into another new dstdomain ACL. lets call this "B"
Step 4) replace the "all" in "deny all blocked_urls" with the name of
your new step-3 ACL.
Step 5) squid -k reconfigure (maybe a "squid -k parse" to check its
going to restart cleanly)
Step 6) watch your CPU relax.
NOTICE: you now have three ACLs. Knowing what they do is important.
The first "A" (from step-1) matches only on raw-IPs or domains
received in the URL. *including HTTPS* requests.
The second "B" (from step-3) limits the slow full-url regex matches
to only be done on the the domains or raw-IPs where they have a
possibility of matching and blocking something.
The third (which was your blocked_urls.lst) matches the entire URL
including path. Patterns which include details about the path will only
match the protocols where a path is visible (ie not HTTPS)
What you need to take away from this is that 1) where possible add whole
domains and sets of sub-domains to "A" the first ACL. and 2) always make
sure that your second "B" and regex ACL are matched. New rules into the
regex need to be checked that the domain(s)the match are in the "B" list.
# Allow access from all of our subnets
acl MyNetworkMR_Srv src 192.168.29.0/24
acl MyNetworkMR_Clt src 10.1.0.0/21
http_access allow MyNetworkMR_Srv
http_access allow MyNetworkMR_Clt
# Allow access from localhost
http_access allow localhost
# Finally deny all other access to this proxy
http_access deny all
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.8
Beta testers wanted for 3.2.0.2
