Le mardi 08 fÃvrier 2011 Ã 13:35 -0500, Chad Naugle a Ãcrit : > Which all looks ok, but is there an "http_access" that allows anything > other than the "CONNECT" method, such as: > > http_access allow MSN_hosts > http_access allow MSN_domains > http_access allow MSN_net > > Not to mention any other sites / hosts / ports (Such as port 80) before > the "http_access deny all", because whenever stacking ACL's there is an > implied "AND" operator, so each line only works like this: > > "Method is CONNECT" AND "Ports" AND "Destination is <list>" > > Otherwise DENY ALL is the likely culprit. > > > >>> David Touzeau <david@xxxxxxxxxx> 2/8/2011 1:22 PM >>> > > Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass > trough squid > > According wikis i did this : > > # Permit MSN > acl MSN_ports port 1863 443 1503 > acl MSN_domains > dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com > .passport.com > acl MSN_hosts dstdomain messenger.hotmail.com > acl MSN_nets dst 207.46.111.0/255.255.255.0 > acl MSN_methods method CONNECT > > > http_access allow MSN_methods MSN_ports MSN_hosts > http_access allow MSN_methods MSN_ports MSN_domains > http_access allow MSN_methods MSN_ports MSN_net > > But MSN still did want to connect with these errors: > > 192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > > Where i'm wrong ?? > > Best regards > > > This is the entire content of the squid.conf if you see something wrong, let me know.... acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.1/32 acl manager proto cache_object auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds #--------- TWEEKS PERFORMANCES # http://blog.last.fm/2007/08/30/squid-optimization-guide memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #--------- squidGard #IS C-ICAP enabled = 1 redirect_program /usr/bin/squidGuard redirect_children 20 #--------- SQUID PARENTS (feature not enabled) #--------- acls acl blockedsites url_regex "/etc/squid3/squid-block.acl" acl CONNECT method CONNECT acl purge method PURGE acl FTP proto FTP acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$ acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$ acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$ acl multimedia_rep rep_mime_type -i ^image/ acl multimedia_rep rep_mime_type -i ^video acl multimedia_rep rep_mime_type -i ^audio acl multimedia_rep rep_mime_type -i ^application/x-dvi$ acl multimedia_rep rep_mime_type -i ^application/x-isoview acl multimedia_browsers browser -i ^Windows-Media-Player.* -i ^.*player.* acl bigfiles_types urlpath_regex -i \.deb$ acl bigfiles_types urlpath_regex -i \.rpm$ acl bigfiles_types urlpath_regex -i \.iso$ acl bigfiles_types urlpath_regex -i \.tar\.gz$ acl bigfiles_types urlpath_regex -i \.gz$ acl bigfiles_types urlpath_regex -i \.bz$ acl bigfiles_types urlpath_regex -i \.tar$ acl bigfiles_types urlpath_regex -i \.cue$ acl bigfiles_types urlpath_regex -i \.nrg$ acl bigfiles_types urlpath_regex -i \.crf$ acl bigfiles_types urlpath_regex -i \.bwi$ acl bigfiles_types urlpath_regex -i \.bwt$ acl bigfiles_types urlpath_regex -i \.lcd$ acl bigfiles_types urlpath_regex -i \.ccd$ acl bigfiles_types urlpath_regex -i \.mdf$ acl bigfiles_types urlpath_regex -i \.mds$ acl bigfiles_types urlpath_regex -i \.vcd$ acl bigfiles_types urlpath_regex -i \.cif$ acl bigfiles_types urlpath_regex -i \.vdi$ acl bigfiles_types urlpath_regex -i \.img$ acl office_network src 192.168.82.0/24 #--------- MAIN RULES... always_direct allow FTP # --------- SAFE ports acl Safe_ports port 1443 #FortiPartner acl Safe_ports port 80 #http acl Safe_ports port 443 #https acl Safe_ports port 21 #ftp acl Safe_ports port 1863 #MSN acl Safe_ports port 20 #ftp-data# acl SSL_ports port 9000 #Artica acl SSL_ports port 443 #HTTPS acl SSL_ports port 563 #https, snews acl SSL_ports port 6667 #tchat acl SSL_ports port 4343 #FortiGate # Permit MSN acl MSN_ports port 1863 443 1503 acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com acl MSN_hosts dstdomain messenger.hotmail.com acl MSN_nets dst 207.46.111.0/255.255.255.0 acl MSN_methods method CONNECT acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video \/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg| application\/ogg) $ # --------- RULES DEFINITIONS http_access deny blockedsites http_access allow MSN_methods MSN_ports MSN_hosts http_access allow MSN_methods MSN_ports MSN_domains http_access allow MSN_methods MSN_ports MSN_nets http_access allow localhost http_access allow manager localhost ttp_access allow purge localhost http_access deny purge url_rewrite_access deny localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow office_network http_access deny to_localhost http_access deny all # --------- ICAP Services.(1 service(s)) # --------- icap_service C-ICAP mode 3.1.x icap_service service_antivir respmod_precache routing=on bypass=on icap://127.0.0.1:1345/srv_clamav # --------- adaptation for C-ICAP service adaptation_service_set class_antivirus service_antivir adaptation_access class_antivirus deny MULTIMEDIA adaptation_access class_antivirus allow all icap_enable on icap_preview_size 128 icap_service_failure_limit -1 icap_preview_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_client_username_encode on # --------- ident_lookup_access hierarchy_stoplist cgi-bin ? # --------- General settings visible_hostname proxyweb # --------- time-out dead_peer_timeout 10 seconds dns_timeout 2 minutes connect_timeout 1600 seconds persistent_request_timeout 3 minutes pconn_timeout 1600 seconds # --------- Objects limits request_body_max_size 5 MB request_header_max_size 64 KB maximum_object_size 300 MB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB #http/https ports http_port 3128 ssl-bump cert=/etc/squid3/ssl/cacert.pem key=/etc/squid3/ssl/privkey.pem # --------- SSL Rules ssl_bump allow all always_direct allow all # --------- Caches cache_effective_user squid cache_effective_group squid #cache_replacement_policy heap LFUDA cache_mem 204 MB cache_swap_high 90 cache_swap_low 95 # --------- DNS and ip caches ipcache_size 51200 ipcache_low 90 ipcache_high 95 fqdncache_size 51200 # --------- SPECIFIC DNS SERVERS dns_nameservers 192.168.82.2 #--------- FTP specific parameters ftp_list_width 50 ftp_passive on ftp_sanitycheck off ftp_epsv off ftp_epsv_all off ftp_telnet_protocol off debug_options ALL,1 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 icp_port 3130 Logs------------------------------------------------- #fqdn is disabled to provide IP addresses to filters log_fqdn off coredump_dir /var/squid/cache cache_store_log /var/log/squid/store.log cache_log /var/log/squid/cache.log pid_filename /var/run/squid.pid access_log none manager access_log /var/log/squid/access.log common access_log /var/log/squid/sarg.log squid icap_log /var/log/squid/icap_access.log cache_dir ufs /var/cache/squid 20000 16 256 # --------- OTHER CACHES
