Search squid archive

Re: Block HTTPS website

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Amos. By the way my squid is currently setup as a Transparent Proxy do you think it will block HTTPS connections? How?

Sorry I was just not too familiar with Squid config.

Regards,
Malvin

On 5/20/2011 9:06 PM, Amos Jeffries wrote:
On 20/05/11 21:54, Malvin Rito wrote:
Here is my config:


Okay, should have worked where you placed it.

What you need to do is add ".facebook.com" on a line in /etc/squid/restricted-sites.acl That will block facebook.com access for both HTTP and HTTPS with your config. The "." at the start of the value is important.

Also, check that there is no ".com" or ".facebook.com" entry in /etc/squid/whitelist.acl

NOTE: Blocking HTTPS only works if the browser is passing HTTPS through Squid. If the browser is going directly to port 443 on its own, Squid cannot help.


The config as a whole has a lot of speed problems. The rest of this mail is some extra hints about changes that will speed up the proxy ...

<snip>
#Allow certain Host on denied site
acl NO_RESTRICTIONS src 172.16.9.52
acl NO_RESTRICTIONS src 172.16.9.121
acl NO_RESTRICTIONS src 172.16.9.199
acl NO_RESTRICTIONS src 172.16.9.106
acl NO_RESTRICTIONS src 172.16.9.122
acl NO_RESTRICTIONS src 172.16.9.100
acl NO_RESTRICTIONS src 172.16.9.244
acl NO_RESTRICTIONS src 172.16.9.241
acl NO_RESTRICTIONS src 172.16.9.239
acl NO_RESTRICTIONS src 172.16.9.19 # IP Address assigned to

# unblock some sites during launch time
acl LUNCHTIME time MTWHFSA 12:01-13:00
acl OFFICEHOUR1 time MTWHFSA 13:01-23:59
acl OFFICEHOUR2 time MTWHFSA 00:01-12:00

no_cache deny all

"no_cache" is obsolete.
If you want to not cache, change it to "cache deny all".

If you want Squid to optimize speed a bit by caching some items for fast re-use remove the line.

acl whitelist dstdomain "/etc/squid/whitelist.acl"

<snip>
#Block Restricted Websites by Domain Name
acl BadSites dstdomain "/etc/squid/restricted-sites.acl"
deny_info ERR_BLOCKED_SITES BadSites
<snip>

#Block Restricted Websites by IP Address
acl BadSitesIP dstdomain "/etc/squid/restricted-IPaddress.acl"
deny_info ERR_BLOCKED_SITES BadSitesIP

You can drop the "BadSitesIP" ACL entirely.

Add this instead:
  acl BadSites dstdomain "/etc/squid/restricted-IPaddress.acl"

NP: there are also http_access changes which need to happen with that name change.

<snip>
http_access allow whitelist

I assume "NO_RESTRICTIONS" means you want those hosts not to be restricted.

To do that you want to put this line here:
  http_access allow NO_RESTRICTIONS

..' then you can remove it from all the later http_access lines:

http_access deny blockfiles !NO_RESTRICTIONS
http_access deny BadSites OFFICEHOUR1 !NO_RESTRICTIONS
http_access deny BadSites OFFICEHOUR2 !NO_RESTRICTIONS
#http_access deny restricted_HTTPS_sites OFFICEHOUR1
#http_access deny restricted_HTTPS_sites OFFICEHOUR2
http_access allow BadSites LUNCHTIME !NO_RESTRICTIONS
http_access deny BadSitesIP !NO_RESTRICTIONS
http_access deny BlockSite_ByKeyword !NO_RESTRICTIONS

<snip>

Those few dozen "Team" http_access lines can be combined into one single ACL. Like this:


 #Joy Team
 acl RestrictedHost src 172.16.9.82  # jcpinto
 acl RestrictedHost src 172.16.9.86  # _mmvillar
 acl RestrictedHost src 172.16.9.116 # _djcarino

 #nINETH Team
 acl RestrictedHost src 172.16.9.85  # _ebinay

 #Thes Team
 #acl RestrictedHost src 172.16.9.90  # _aaquino
 acl RestrictedHost src 172.16.9.91  # _rbasa
 acl RestrictedHost src 172.16.9.81  # _jbadong
 acl RestrictedHost src 172.16.9.104 # _dbalino
 #acl RestrictedHost src 172.16.9.115 # _rfrancisco

 #Richard A. Team
 #acl RestrictedHost src 172.16.9.101 # _raraw
 acl RestrictedHost src 172.16.9.35  # _lmusni
 acl RestrictedHost src 172.16.9.100 # _mmendoza

 #Jhun Team
 acl RestrictedHost src 172.16.9.119 # _jcruzado
 acl RestrictedHost src 172.16.9.109 # _glustre
 acl RestrictedHost src 172.16.9.111 # _jrmaganis
 acl RestrictedHost src 172.16.9.252 # _earellano
 acl RestrictedHost src 172.16.9.80  # _jmprimicias

 #Ranel Team
 acl RestrictedHost src 172.16.9.114 # _jbautista
 acl RestrictedHost src 172.16.9.117 # _jlmallari
 acl RestrictedHost src 172.16.9.118 # _dcuna

 #Marge Team
 acl RestrictedHost src 172.16.9.92  # _vescolano
 #acl RestrictedHost src 172.16.9.87  # _eselda

 http_access deny RestrictedHost


Taddah! about 15 times faster.


<snip>
# --------END OF ALT CLADDING, INC. ACL
DEFINITION-------------------------------------------

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

Hmm, you can drop the "localnet" ACL completely.
You defined it already with your own name of "lan".

#
acl TOR_PORT1 port 9001
acl TOR_PORT2 port 9030
acl TOR_PORT3 port 9051

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports

Instead of making new ACL and checking them separately you can just alter the Safe_ports to exclude TOR.

Remove:
  acl Safe_ports port 1025-65535 # unregistered ports

Add:
 acl Safe_ports port 1025-9000
 acl Safe_ports port 9002-9029
 acl Safe_ports port 9031-9050
 acl Safe_ports port 9052-65535

Now you can also remove the TOR_PORT* http_access lines later on.

acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny TOR_PORT1
http_access deny TOR_PORT2
http_access deny TOR_PORT3
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS


Hmm, this is where the whole section earlier called "ALT CLADDING, INC. ACL DEFINITION" is supposed to be. Right after the security checks that the host is behaving itself (safe SSL and port usage).

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet

"localnet" can be erased since you are calling it "lan" instead.


# And finally deny all other access to this proxy

# -----------------------------
# DEFINED FOR ALT CLADDING
http_access allow localhost
http_access allow lan
# -----------------------------


http_access deny all



Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux