Here is my config:
acl lan src 122.3.237.66 172.16.9.0/24 # Define LAN internet
#acl lan src 172.16.18.2 172.16.0.0/16
#acl RestrictedHost_jobs src 172.16.9.80
#acl RestrictedHost_jack src 172.16.9.119
#acl RestrictedHost_esmie src 172.16.9.252
#acl RestrictedHost_grover src 172.16.9.109
#acl RestrictedHost_jay src 172.16.9.111
# Allow projectpoint.buzzsaw.com for DESIGN DEPARTMENT
acl BROWSING_PORT port 80
acl ALLOWED_SITE dstdomain projectpoint.buzzsaw.com
#Joy Team
acl RestrictedHost_jcpinto src 172.16.9.82
acl RestrictedHost_mmvillar src 172.16.9.86
acl RestrictedHost_djcarino src 172.16.9.116
#nINETH Team
acl RestrictedHost_ebinay src 172.16.9.85
#Thes Team
#acl RestrictedHost_aaquino src 172.16.9.90
acl RestrictedHost_rbasa src 172.16.9.91
acl RestrictedHost_jbadong src 172.16.9.81
acl RestrictedHost_dbalino src 172.16.9.104
#acl RestrictedHost_rfrancisco src 172.16.9.115
#Richard A. Team
#acl RestrictedHost_raraw src 172.16.9.101
acl RestrictedHost_lmusni src 172.16.9.35
acl RestrictedHost_mmendoza src 172.16.9.100
#Jhun Team
acl RestrictedHost_jcruzado src 172.16.9.119
acl RestrictedHost_glustre src 172.16.9.109
acl RestrictedHost_jrmaganis src 172.16.9.111
acl RestrictedHost_earellano src 172.16.9.252
acl RestrictedHost_jmprimicias src 172.16.9.80
#Ranel Team
acl RestrictedHost_jbautista src 172.16.9.114
acl RestrictedHost_jlmallari src 172.16.9.117
acl RestrictedHost_dcuna src 172.16.9.118
#Marge Team
acl RestrictedHost_vescolano src 172.16.9.92
#acl RestrictedHost_eselda src 172.16.9.87
#Allow certain Host on denied site
acl NO_RESTRICTIONS src 172.16.9.52
acl NO_RESTRICTIONS src 172.16.9.121
acl NO_RESTRICTIONS src 172.16.9.199
acl NO_RESTRICTIONS src 172.16.9.106
acl NO_RESTRICTIONS src 172.16.9.122
acl NO_RESTRICTIONS src 172.16.9.100
acl NO_RESTRICTIONS src 172.16.9.244
acl NO_RESTRICTIONS src 172.16.9.241
acl NO_RESTRICTIONS src 172.16.9.239
acl NO_RESTRICTIONS src 172.16.9.19 # IP Address assigned to
DANCE-MOTION.NET Wifi
# unblock some sites during launch time
acl LUNCHTIME time MTWHFSA 12:01-13:00
acl OFFICEHOUR1 time MTWHFSA 13:01-23:59
acl OFFICEHOUR2 time MTWHFSA 00:01-12:00
no_cache deny all
acl whitelist dstdomain "/etc/squid/whitelist.acl"
#Block Files not allowed for downloading such as EXE, mp3, avi,
COM,MPG,MP4, MSI, etc.
acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
deny_info ERR_BLOCKED_FILES blockfiles
#Block Restricted Websites by Domain Name
acl BadSites dstdomain "/etc/squid/restricted-sites.acl"
deny_info ERR_BLOCKED_SITES BadSites
#Block Restricted Websites by URL keyword
acl BlockSite_ByKeyword url_regex -i
"/etc/squid/restricted-site-keyword.acl"
deny_info ERR_BLOCKED_SITES BlockSite_ByKeyword
#Block Restricted Websites by IP Address
acl BadSitesIP dstdomain "/etc/squid/restricted-IPaddress.acl"
deny_info ERR_BLOCKED_SITES BadSitesIP
# HTTPS Sites
#acl restricted_HTTPS_sites dstdom_regex -i facebook.com
http_access allow whitelist
http_access deny blockfiles !NO_RESTRICTIONS
http_access deny BadSites OFFICEHOUR1 !NO_RESTRICTIONS
http_access deny BadSites OFFICEHOUR2 !NO_RESTRICTIONS
#http_access deny restricted_HTTPS_sites OFFICEHOUR1
#http_access deny restricted_HTTPS_sites OFFICEHOUR2
http_access allow BadSites LUNCHTIME !NO_RESTRICTIONS
http_access deny BadSitesIP !NO_RESTRICTIONS
http_access deny BlockSite_ByKeyword !NO_RESTRICTIONS
#http_access deny RestrictedHost_jobs
#http_access deny RestrictedHost_jack
#http_access deny RestrictedHost_esmie
#http_access deny RestrictedHost_grover
#Joy Team
http_access deny RestrictedHost_jcpinto
http_access deny RestrictedHost_mmvillar
#Nineth Team
http_access deny RestrictedHost_ebinay
#http_access deny RestrictedHost_eselda
http_access deny RestrictedHost_djcarino
#Thes Team
#http_access deny RestrictedHost_aaquino
http_access deny RestrictedHost_rbasa
http_access deny RestrictedHost_jbadong
http_access deny RestrictedHost_dbalino
#Raul Team
#http_access deny RestrictedHost_raraw
http_access deny RestrictedHost_lmusni
http_access deny RestrictedHost_mmendoza
#Jhun Team
http_access deny RestrictedHost_jcruzado
http_access deny RestrictedHost_glustre
http_access deny RestrictedHost_jrmaganis
http_access deny RestrictedHost_earellano
http_access deny RestrictedHost_jmprimicias
#Ranel Team
http_access deny RestrictedHost_jbautista
#http_access deny RestrictedHost_rfrancisco
http_access deny RestrictedHost_jlmallari
http_access deny RestrictedHost_dcuna
#Marge Team
http_access deny RestrictedHost_vescolano
# --------END OF ALT CLADDING, INC. ACL
DEFINITION-------------------------------------------
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl TOR_PORT1 port 9001
acl TOR_PORT2 port 9030
acl TOR_PORT3 port 9051
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny TOR_PORT1
http_access deny TOR_PORT2
http_access deny TOR_PORT3
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
# And finally deny all other access to this proxy
# -----------------------------
# DEFINED FOR ALT CLADDING
http_access allow localhost
http_access allow lan
# -----------------------------
http_access deny all
On 5/20/2011 5:21 PM, Amos Jeffries wrote:
On 20/05/11 21:07, Malvin Rito wrote:
Hi Jason,
I tried it but only block sites using http not https on the URL.
You keep failing to say what your config actually is. Only that the
one way we know *does* work is not working for you. So we cannot
really help.
Details please.
Regards,
Malvin
On 5/20/2011 4:48 PM, Jason Doran wrote:
Hi Malvin.
we are blocking facebook here with dstdom_regex:
acl my-desktop src 10.10.10.10/32
acl facebook dstdom_regex -i facebook.com
lol. Visit this URL:
http://ffacefaceafacebookfacecfacegebookwfacebookacomacomwwoof.example.com/
go ahead, try it.
A working facebook block will display a pages explaining that
example.com is reserved by IANA.
Hint: use dstdomain to match domain names.
dstdom_regex is only very useful when fighting random patterned or
multi-TLD domains.
Amos
