On 20/09/2012 10:50 p.m., Jaime Gomez wrote:
Hi Amos,
Thanks for your quick response. I try to answer all your questions:
1.- Yes, the Chrome requests show up in squid access.log
2.- The Required issue: you are right. It was my fault. I didn't check
the conf file properly.
3.- WebUsers group content: people that are not allowed to visit
certain web pages. For instance: john.doe
"not" allowed? but you use it only in an "allow" context. If it matches
anything the user will be allowed unlimited access. Also note that ident
is a user-supplied detail, meaning knowledgable users are free to set
their own IDENT reponse text.
SocialNet: web pages like this: .facebook.com, .twitter.com and so on.
4.- That is the end of the file. Am I missing something?
There is no "http_access deny all" to clarify that it is the end of the
config. Just checking that you did not have anything else to allow stuff.
Amos
Thanks in advance,
Regards,
Jaime.
>>> El día 20/09/2012 a las 5:39, en el mensaje
<505A8FED.8070309@xxxxxxxxxxxxx>, Amos Jeffries <squid3@xxxxxxxxxxxxx>
escribió:
On 19/09/2012 9:18 p.m., Jaime Gomez wrote:
> Hi Amos,
>
> You are right, I didn't explain myself properly. We use ident to
identify our users. One user with IE or firefox wants to go to one
Facebook. He receives a wonderful deny message saying that he is not
allowed. Same user with Chrome does the same and he is able to access
to Facebook. After doing some research I found out that this only
happens if I use https.
Are the Chrome requests showing up in squid access.log?
> Here is the conf file. I've made a little modifications just to show
the important things:
>
> cache_effective_user proxy
> cache_effective_group proxy
> visible_hostname x.x.x.x
> unique_hostname x.x.x.x
> coredump_dir /data/squid
>
> http_port 3128
> cache_access_log /data/squid/logs/access.log
> cache_access_log /data/squid/logs/access.log
> cache_store_log /data/squid/logs/store.log
> cache_log /data/squid/logs/cache.log
> pid_filename /data/squid/logs/squid.pid
> logfile_rotate 2
> via off
> forwarded_for off
>
> dns_nameservers x.x.x.x
> positive_dns_ttl 8 hours
> negative_dns_ttl 30 seconds
>
> cache_replacement_policy heap LFUDA
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size_in_memory 20 KB
> cache_dir aufs /data/squid/cache 16000 16 256
> cache_mem 16 MB
> memory_pools off
> maximum_object_size 64 MB
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> log_icp_queries off
> client_db off
> buffered_logs on
> half_closed_clients off
> negative_ttl 0 minutes
>
> external_acl_type myIdent children=15 %SRC %IDENT /usr/bin/perl
/data/squid/scripts/myIdentUsers.pl
> acl ident_auth external myIdent REQUIRED
"REQUIRED" ? looks like you do not understand what is going on.
'REQUIRED' is a magic value for proxy_auth ACL type. It has nothing to
do with any others.
When used on the external ACL, the helper will be passed the three
strings: client IP address, client provided IDENT label, ... and the
textual word "REQUIRED".
>
> acl WebUsers ident "/data/squid/groups/WebUsers"
>
> acl Socialnet dstdomain "/data/squid/blacklists/socialnet/domains"
and what is this files content?
>
> http_access deny Socialnet
>
> http_access allow WebUsers
anything else afterwards?
Amos
>
> Thanks for your help.
>
> Regards.
>
>>>> Amos Jeffries <squid3@xxxxxxxxxxxxx> 19/09/2012 2:53 >>>
> On 19/09/2012 1:45 a.m., Jaime Gomez wrote:
>> Hi all,
>>
>> We have a very weird issue. I've been googling but couldn't find
the answer. We have our Squid (Squid Cache: Version 3.1.18) configured
in order to do some content filter. For instance: some people can
access Facebook and other social Webpages while others don't. The
weird issue is that people with Chrome can skip this acl. With IE and
Firefox it works. How is this possible?
> It might be because you configured it to happen. Or that Chrome is
> simply not using the proxy.
>
> Some information about what your configuration actually is would help
> (details please).
>
> Amos
>
