On 11/30/2011 06:41 PM, Amos Jeffries wrote: > On Wed, 30 Nov 2011 17:07:54 -0600, Paul Crown wrote: >> Greetings, >> >> I feel I am missing something simple. I have installed squid3 on >> Ubuntu. I added >> >> acl allow_domains dstdomain "/etc/squid3/always_direct.acl" >> always_direct allow allow_domains >> >> acl denied_domains dstdomain "/etc/squid3/denied_domains.acl" >> http_access deny denied_domains >> >> and populated both files accordingly, and restarted squid3. >> >> Now from a terminal, curl good-url and it works. curl bad-url and it >> gives me the blocked message. >> >> Try it in firefox, and good-url and bad-url both work fine. Neither is >> blocked. >> >> What did I forget? >> >> Thanks. >> >> Paul > > What you are missing is two details: > > Firstly, http_access and always_direct are completely unrelated controls. > - http_access determins whether Squid is allowed to service the request. > - always_direct determines whether Squid MUST (versus MAY) service the > request using DNS lookups and going directly to the public origin > server(s). > > Also, you are missing minor details about the URL being tested. ie > - whether the browse is automatically adding "www." in front of the > domain, or not > - whether curl is setting the HTTP/1.1 Host: header correctly, or not > - whether the browse and terminal tools were run on the same machine, or > not > - whether you have any other access controls affecting the requests (ie > a browser type ACL allowing Mozilla/* agents through before these controls) > > Amos > Thanks Amos. That makes sense. I got the browser working by configuring proxy settings in the browser to port 3128. I was trying to do transparent interception without changing the browser (otherwise some employees are going to change it back). So, I am still showing my lack of understanding regarding transparent http access. Must I also redirect port 80 to 3128 such as in iptables to not have to config the browser? Paul For ref: squid3 3.0.STABLE19-1 Ubuntu 10.04.2 LTS 64-bit /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl denied_domains dstdomain "/etc/squid3/denied_domains.acl" http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny denied_domains http_access allow localhost http_access deny all icp_access deny all htcp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /var/log/squid3/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 error_directory /var/www/squid3 acl data_urls dstdomain "/etc/squid3/always_direct.acl" always_direct allow data_urls always_direct deny all coredump_dir /var/spool/squid3 /etc/squid3/always_direct.acl .amazonaws.com .google.com /etc/squid3/denied_domains.acl .evony.com .myspace.com .pogo.com .facebook.com .twitter.com .zynga.com
