Search squid archive

Re: acl for redirect - re Amos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Amos,

I would like to use e2guardian if possible, and after checking it out, http://www.google.com/webhp?nord=1 does force the insecure, but previous entries attempted just cause all searches to loop back to that same url instead of passing it along.

We could use a regex option in squid, but since we want the rest of the sites to be handled normally through e2guardian, what acl entries would we use to set it up to only take effect on google.com? Essentially "if dstdomain = google.com then use acl blocklist /etc/squid/badwords". I have not used a 2 layer or referring acl setup before, but before now never needed to.

Thank you so much for the help!

Mike


On 6/26/2015 0:29 AM, Amos Jeffries wrote:
On 26/06/2015 2:36 a.m., Mike wrote:
Amos, thanks for info.

The primary settings being used in squid.conf:

http_port 8080
# this port is what will be used for SSL Proxy on client browser
http_port 8081 intercept

https_port 8082 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH


sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost


Then e2guardian uses 10101 for the browsers, and uses 8080 for
connecting to squid on the same server.
Doesn;t matter. Due to TLS security requirements Squid ensures the TLS
connection in re-encrypted on outgoing.


I am doubtful eth nord works anymore since Googles own documentation for
schools states that one must install a MITM proxy that does the traffic
filtering - e2guardian is not one of those. IMO you should convert your
e2guardian config into Squid ACL rules that can be applied to the bumped
traffic without forcing http://

But if nord does work, so should the deny_info in Squid. Something like
this probably:

  acl google dstdomain .google.com
  deny_info 301:http://%H%R?nord=1 google

  acl GwithQuery urlpath_regex ?
  deny_info 301:http://%H%R&nord=1 GwithQuery

  http_access deny google Gquery
  http_access deny google


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux