Thanks Walter and Amos, i've taken your advice and now I got the blocking to partially work. I've re-organized how my ACLs are setup (order) and using your examples Walter to implement my ACLs. Working on the facebook example, I have.. acl block_domains_regex dstdom_regex -i "/etc/squid/block-domains-regex-list-acl.squid" deny_info ERR_URL_BLOCKED block_domains_regex http_access deny block_domains_regex In the acl file, I have.. .*\.facebook\.com.* According to http://www.regexr.com this blocks: https://www.facebook.com https://www.facebook.com/something https://something.facebook.com www.facebook.com http://www.facebook.com ; However, it will not block.. https://facebook.com http://facebook.com I can't seem to get this right to block the bottom 2, any ideas? ---------------------------------------- Date: Wed, 15 Oct 2014 08:46:44 +0200 From: Walter.H@xxxxxxxxxxxxxxxxx To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: http_access deny for dstdomain acl not denying access to url.. what am I doing wrong? On 15.10.2014 08:13, Amos Jeffries wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > And the key difference in these configs is not the ACL contents, but > the ordering in which they are matched. > > Mirzas' config starts by telling Squid everything on the LAN/localnet > is allowed. Ok, fine, Squid will do that. > > Walters' config will tell Squid a limited set of things to allow, then > some things to deny, then implicitly allow everything else [1][2]. > Whichever rule actually matches the FB requests will be applied by > Squid, with a limited set of initial allow/bypass the likelihood that > a deny following will match is higher. > > > [1] this is not a great situation, because any remote attack which can > figure out a way past your regex ACLs can use the proxy for whatever > they please[2]. > > [2] I hope you just omitted the localnet ACL checks which should > follow the ones you showed. > > Amos Yes I omitted this: acl localnet src 192.168.0.0/16 on top of squid.conf and http_access allow localnet http_access allow localhost below the listed ACL rules; Walter _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
