On 4/08/2016 8:04 p.m., Harsha S Aryan wrote: > this is my squid conf file. > > ############################################# > > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > acl allowed_sites dstdomain "/etc/squid3/Allowed_Sites.txt" > acl blocked_ip src "/etc/squid3/Blocked_Ip.txt" > acl allowed_ip dst "/etc/squid3/Allowed_Ip.txt" > acl allcomputers src 192.168.1.0/255.255.255.0 > acl allcomputers src 192.168.2.0/255.255.255.0 > acl all_others dst 0.0.0.0/0.0.0.0 > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl all src all > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access allow localhost > http_access deny all > http_port 3128 > http_port 80 vhost > hierarchy_stoplist cgi-bin ? > access_log /var/log/squid3/access.log squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 > refresh_pattern \.js$ 1440 0% 4320 > refresh_pattern \.(PNG|png)$ 1440 0% 4320 > refresh_pattern . 0 20% 4320 > acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9] > upgrade_http0.9 deny shoutcast > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > extension_methods REPORT MERGE MKACTIVITY CHECKOUT > hosts_file /etc/hosts > coredump_dir /var/spool/squid3 > > ################################################### > > On Wed, Aug 3, 2016 at 10:23 PM, Harsha S Aryan <harsha.s.aryan@xxxxxxxxx> > wrote: > >> >> ---------- Forwarded message ---------- >> From: Harsha S Aryan <harsha.s.aryan@xxxxxxxxx> >> Date: Wed, Aug 3, 2016 at 10:22 PM >> Subject: All website getting Blocked >> To: squid-users@xxxxxxxxxxxxxxxxxxxxx >> >> >> Hi, >> >> All website getting Blocked >> using squid3 >> ubuntu 14.04 >> Squid Cache: Version 3.3.8 >> >> >> conf file >> >> >> auth_param basic children 5 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hours >> auth_param basic casesensitive off No auth helper is configurred, making the above useless. You can remove. >> acl allowed_sites dstdomain "/etc/squid3/Allowed_Sites.txt" >> acl blocked_ip src "/etc/squid3/Blocked_Ip.txt" >> acl allowed_ip dst "/etc/squid3/Allowed_Ip.txt" >> acl allcomputers src 192.168.1.0/255.255.255.0 >> acl allcomputers src 192.168.2.0/255.255.255.0 >> acl all_others dst 0.0.0.0/0.0.0.0 Thats all quite odd. Not used anyhow, so you can erase all of the above. >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> acl all src all "all" is now a built-in directive. You can remove the above line. >> acl localhost src 127.0.0.1/32 >> acl to_localhost dst 127.0.0.0/8 "localhost" in modern systems includes the IP address ::1 from IPv6. The to_localhost should also be including the 0.0.0.0/32 address which some networking systems treat as localhost. This is a security protection so needs to be configured right to work. You have not used it anywhere though, so you can remove the definition entirely if you like. >> acl SSL_ports port 443 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> acl CONNECT method CONNECT >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager >> http_access allow localhost >> http_access deny all In other words, this proxy will only accept requests coming from locahost (127.0.0.1). No other clients are permitted to use the proxy for HTTP. >> http_port 3128 >> http_port 80 vhost >> hierarchy_stoplist cgi-bin ? Above is an obsolete directive. Remove. >> access_log /var/log/squid3/access.log squid >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 >> refresh_pattern \.js$ 1440 0% 4320 >> refresh_pattern \.(PNG|png)$ 1440 0% 4320 >> refresh_pattern . 0 20% 4320 >> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9] >> upgrade_http0.9 deny shoutcast The shoutcast stuff is obsolete old Squid-2.7 config. Squid-3 has native ICY / SHOUTcast / ICEcast support. There is no config required. >> acl apache rep_header Server ^Apache >> broken_vary_encoding allow apache >> extension_methods REPORT MERGE MKACTIVITY CHECKOUT extension_methods are also obsolete in Squid-3. All methods, including unknown ones are treated properly. >> hosts_file /etc/hosts That is the default location for Limux systems. No need to configure hosts_file like this. >> coredump_dir /var/spool/squid3 >> >> Please let me know if anything is missing >> What are you intending this proxies purpose to be? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
