On 1/12/2015 3:56 a.m., Edmonds Namasenda wrote: > Greetings. > > I want to deny access to certain downloads (in str-med.txt) during "WorkHrs" > This is failing miserably as this is not achieved. > > Please look through my files (squid.conf and str-med.txt) below for > pointers to rectify this. Thanks in advance Apart from being placed above the access controls on CONNECT (it should be below). The config looks like it should work and block all HTTP downloads for URLs that look like filename downloads. I suspect that you are probably confusing HTTPS and HTTP though. HTTPS does not have a URL path exposed for the ACL to work with. So these controls will have no effect on HTTPS traffic. Or perhapse you are confusing URL paths for file paths. While they do look alike sometimes, the overlap is purely historical design coincidence. There is not necessarily any correlation in reality. > > ### Start squid.conf ### > acl office-net src 10.10.2.0/24 > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > acl WorkHrs time MTWHF 08:29-12:59 > acl WorkHrs time MTWHFA 14:00-16:59 > > ## Wrong Files and URLS > acl malice dstdomain -i "/etc/squid/malware.acl" > acl porn dstdomain -i "/etc/squid/xxx.acl" > acl ads dstdomain -i "/etc/squid/ads.acl" > acl proxies dstdomain -i "/etc/squid/proxies.acl" > > acl nostr urlpath_regex -i "/etc/squid/str-med.txt" > > http_access deny nostr WorkHrs > http_reply_access deny nostr WorkHrs If the "nostr WorkHrs" check matches anything it would do so on http_access, the reply version is not useful. > > http_access deny !Safe_ports > http_access deny ads > http_access deny porn > http_access deny malice > http_access deny proxies The ACLs ads, porn malice, and proxies are all dstdomain. You should be able to load all their entries into one AC name and just test once, instead of checking each requests domain x4 times. combine them into one ACL name. Also, all your custom ACLs should be placed after the "deny CONNECT !SSL_ports" line. > > http_access deny CONNECT !SSL_ports > > http_access allow localhost manager > http_access deny manager > > http_access allow office-net all > > # Allow localhost always proxy functionality > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > error_directory /usr/share/squid/errors/en > > icp_access allow office-net > icp_access deny all > > htcp_access allow office-net > htcp_access deny all > > http_port 10.10.2.10:3128 intercept > http_port 127.0.0.1:3127 > > hierarchy_stoplist cgi-bin ? > You don't have peers, so the above is not useful. You can remove it. <snip> > > acl youtube dstdomain .youtube.com > cache allow youtube The above may not be doing what you think it does... With ACL processing the implicit default action is the inverse of the previous action. So what the above does is tell Squid to cache youtube.com objects, *but nothing else*. If that is intentional it is best to say so with an explicit "cache deny all" line at the end. If you want youtube.com objects to be cached, a) the above does not work, and b) you dont have to specify "cache allow" lines. The default action by Squid is to cache everything that is cacheable. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users