Hello, as the subject says im new. Been reading a lot and some examples and i do have a weird problem where i can't block some domains. First and foremost im using the squid proxy for windows version 2.7.8 as thats the only one for windows that works for me the 3.x versions always deny requests from clients even with the default conf. I've been testing all this in a production enviroment so ... help me!! please of i will get killed soon :D. my conf for 2.7.8 is(I modifying one that comes with proxy 3-1): #Modified by Kyi Thar 15 March 2010 http_port 8080 cache_mgr helpdesk@xxxxxxxxxx visible_hostname lotus.hidden hierarchy_stoplist cgi-bin ? cache_mem 64 MB cache_replacement_policy heap LFUDA cache_dir aufs c:/Squid/cache01 2000 16 256 cache_dir aufs c:/Squid/cache02 2000 16 256 cache_dir aufs c:/Squid/cache03 2000 16 256 cache_access_log c:/Squid/var/logs/access.log cache_log c:/Squid/var/logs/cache.log cache_store_log c:/Squid/var/logs/store.log mime_table c:/Squid/etc/mime.conf pid_filename c:/Squid/var/logs/squid.pid (this part here i dont know whats its use as i cant find info about it on the net) diskd_program c:/Squid/libexec/diskd.exe unlinkd_program c:/Squid/libexec/unlinkd.exe logfile_daemon c:/squid/libexec/logfile-daemon.exe forwarded_for off via off httpd_suppress_version_string on uri_whitespace strip maximum_object_size 524288 KB maximum_object_size_in_memory 1024 KB #redirect_program c:/usr/local/squidGuard/squidGuard.exe #authenication with Windows server (commented this part as i dont want users to have to log on once more in the web pages I wasnt able to stop them from doing so and my boss didnt like the extra hassle) #auth_param basic program c:/squid/libexec/mswin_auth.exe -O HIDDEN #auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe #auth_param ntlm children 5 #auth_param ntlm keep_alive on acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network (some of my computers are in this range) acl localnet src 172.16.0.0/12 # RFC1918 possible internal network (Dont use this range but i will make a DMZ for the servers with it) acl localnet src 192.168.0.0/16 # RFC1918 possible internal network (NORMAL range for users) # catch certain bugs (for example with persistent connections) and possibly # buffer-overflow or denial-of-service attacks. request_header_max_size 20 KB reply_header_max_size 20 KB #Limit upload to 2M and download to 10M (trying to stop users from uploading big files to email sites and fb and download big files as i only have 6mbps and 1mbps down/up bandwidth) request_body_max_size 2048 KB reply_body_max_size 10485760 deny localnet # compressed (i moddief this part as instead of 0 they had 10080 and instead of 10080 they had 999999 those times are too big files could stay forever fresh! inside the cache) refresh_pattern -i \.gz$ 0 90% 10080 refresh_pattern -i \.cab$ 0 90% 10080 refresh_pattern -i \.bzip2$ 0 90% 10080 refresh_pattern -i \.bz2$ 0 90% 10080 refresh_pattern -i \.gz2$ 0 90% 10080 refresh_pattern -i \.tgz$ 0 90% 10080 refresh_pattern -i \.tar.gz$ 0 90% 10080 refresh_pattern -i \.zip$ 0 90% 10080 refresh_pattern -i \.rar$ 000 90% 10080 refresh_pattern -i \.tar$ 0 90% 10080 refresh_pattern -i \.ace$ 0 90% 10080 refresh_pattern -i \.7z$ 0 90% 10080 # documents refresh_pattern -i \.xls$ 0 90% 10080 refresh_pattern -i \.doc$ 0 90% 10080 refresh_pattern -i \.xlsx$ 0 90% 10080 refresh_pattern -i \.docx$ 0 90% 10080 refresh_pattern -i \.pdf$ 0 90% 10080 refresh_pattern -i \.ppt$ 0 90% 10080 refresh_pattern -i \.pptx$ 0 90% 10080 refresh_pattern -i \.rtf\?$ 0 90% 10080 # multimedia refresh_pattern -i \.mid$ 0 90% 10080 refresh_pattern -i \.wav$ 0 90% 10080 refresh_pattern -i \.viv$ 0 90% 10080 refresh_pattern -i \.mpg$ 0 90% 10080 refresh_pattern -i \.mov$ 0 90% 10080 refresh_pattern -i \.avi$ 0 90% 10080 refresh_pattern -i \.asf$ 0 90% 10080 refresh_pattern -i \.qt$ 0 90% 10080 refresh_pattern -i \.rm$ 0 90% 10080 refresh_pattern -i \.rmvb$ 0 90% 10080 refresh_pattern -i \.mpeg$ 0 90% 10080 refresh_pattern -i \.wmp$ 0 90% 10080 refresh_pattern -i \.3gp$ 0 90% 10080 refresh_pattern -i \.mp3$ 0 90% 10080 refresh_pattern -i \.mp4$ 0 90% 10080 # images refresh_pattern -i \.gif$ 0 90% 10080 refresh_pattern -i \.jpg$ 0 90% 10080 refresh_pattern -i \.png$ 0 90% 10080 refresh_pattern -i \.jpeg$ 0 90% 10080 refresh_pattern -i \.bmp$ 0 90% 10080 refresh_pattern -i \.psd$ 0 90% 10080 refresh_pattern -i \.ad$ 0 90% 10080 refresh_pattern -i \.gif\?$ 0 90% 10080 refresh_pattern -i \.jpg\?$ 0 90% 10080 refresh_pattern -i \.png\?$ 0 90% 10080 refresh_pattern -i \.jpeg\?$ 0 90% 10080 refresh_pattern -i \.psd\?$ 0 90% 10080 # application refresh_pattern -i \.deb$ 0 90% 10080 refresh_pattern -i \.rpm$ 0 90% 10080 refresh_pattern -i \.msi$ 0 90% 10080 refresh_pattern -i \.exe$ 0 90% 10080 refresh_pattern -i \.dmg$ 0 90% 10080 # default refresh patterns refresh_pattern ^ftp: 1440 20% 0 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 # if a file ends before finishing sends the quick abort if those parameters comply ( i kinda forgot why i copied this from tha web ) quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 95 #ACL to define ports allowed to passthrough Squid acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 84 # laboratorios cortina acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl CONNECT method CONNECT http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed acl fullvideo src "c:/squid/etc/ipfullvideo.sq" # here is a file with ips allowed to see youtube and facebook videos , media streaming acl bad_url url_regex -i "c:/squid/etc/bad-sites.sq" # .facebook.com .twitter.com rule to block those sites for users inside ipbloqueada acl ipbloqueada src 192.168.1.117/32 192.168.1.179/32 192.168.1.170/32 192.168.1.15/32 # ips of 3 users that shouldnt be accessing fb and twitter. acl bad_ext urlpath_regex -i "c:/squid/etc/extensiones.sq" # rule to block some file extesions like .avi$, .mpg$ etc stop downloads from them even if they are smaller than 10MB (this doesn't WORK!) #Media Streams i try to block streaming here downloaded this from your site ## MediaPlayer MMS Protocol acl media rep_mime_type mms acl mediapr url_regex dvrplayer mediastream ^mms:// ## (Squid does not yet handle the URI as a known proto type.) ## Active Stream Format (Windows Media Player) acl media rep_mime_type x-ms-asf ##acl mediapr urlpath_regex \.(afx|asf)(\?.*)?$ #(regex make squid 2.7.8 to blow up had to comment them) ## Flash Video Format acl media rep_mime_type video/flv video/x-flv ##acl mediapr urlpath_regex \.flv(\?.*)?$ #(regex make squid 2.7.8 to blow up had to comment them) ## Flash General Media Scripts (Animation) acl media rep_mime_type application/x-shockwave-flash ##acl mediapr urlpath_regex \.swf(\?.*)?$ #(regex make squid 2.7.8 to blow up had to comment them) ## Others currently unknown acl media rep_mime_type ms-hdr acl media rep_mime_type x-fcs # now we do the reall blocking here http_access allow localnet #let the network use the proxy http_access allow localhost #let the proxy server use itself ??( O_o i dont quite get this part.) http_access allow manager localhost http_access deny bad_url ipbloqueada #here i want all the urls in BAD_URL from the ips IPBLOQUEADA to be denied used to work ... when i started but now it doesnt i will show a sample of the file at the end http_access deny bad_ext #block reading of files with those extensions. deny_info TCP_RESET bad_ext #send a tcp_reset so they dont know proxy blocked them http_reply_access deny media !fullvideo # here i try to deny access to media to all but those inside fullvideo (doesnt quite work either youtube loads and works :D) some other streaming are blocked well ##http_access deny mediapr # And finally deny all other access to this proxy http_access deny all #always_direct allow all # i feel this part is to let squidguard work, i removed it cuz it blocked youtube and many other sites i bet that was because the ads. icon_directory c:/Squid/share/icons error_directory c:/Squid/share/errors/Spanish coredump_dir c:/Squid ##This is bad_sites.sq .fanfiction.net .meebo.com .playboy.com .myspace.com .sexo.com .facebook.com .twitter.com .hi5.com plus.google.com .identi.li ## this is extensiones.sq .mp3$ .exe$ .com$ .bat$ .pif$ .avi$ .mpg$ .zip$ .rar$ .z7$ ##this is ipfullvideo.sq 192.168.1.36 192.168.1.51 192.168.1.67 192.168.1.170 192.168.1.171 192.168.1.185 |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
