Try to see what happens when you change and simplify squidguard conf(after a backup) to a one default which blocks youtube. This way you would be able to minimize the options from squidguard to squid or backwards. Try to follow the cache.log and see if you see anything about anything which mentions "youtube". The options for the issue are one of two: Squidguard is configured wrong or has a bug Squid is configured wrong or has a bug I cannot say that squid is 100% bullet proof but first analyze the logs to see what happens and if you need to block youtube specifically I would do it in the squid level rather then in squidguard level since it's a very simple and tiny and static rule. And leaving the beauty of the splash page and just block add the next lines to the beginning of squid.conf: #YT DOMS acl ytdoms dstdomain .youtube.com .ytimg.com .googlevideo.com acl ytallowedusers src 10.0.0.1/32 10.0.0.2/32 http_access deny ytdoms !ytallowedusers ##END OF ADDITION If you wish to allow a specific user to access these domains just add them to the ytallowedusers acl. Use squidguard only for things which needs more frequent updates. All The Bests, Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx From: Sameh Onaissi [mailto:sameh.onaissi@xxxxxxxxx] Sent: Thursday, December 22, 2016 12:20 AM To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Bypassed Proxy HI Eliezer, squid.conf: http://pastebin.com/7Nusciiu sqiudguard.conf: http://pastebin.com/DiRgD23c I think the client is using a Google chrome extension: https://chrome.google.com/webstore/detail/hotspot-shield-free-vpn-p/nlbejmccbhkncgokjcmghpfloaajcffj?hl=en (can’t get cache logs now as client is disconnected) On Dec 21, 2016, at 1:43 PM, Eliezer Croitoru <mailto:eliezer@xxxxxxxxxxxx> wrote: How does squid.conf looks now? It’s probably a typo or some settings exception. You need to debug and check first if squidguard receives the request details and what it does with it. To see the relevant details you will need to use squid debug_options: http://wiki.squid-cache.org/KnowledgeBase/DebugSections Specifically section 61. You should add to squid.conf the line debug_options ALL,1 61,6 And your cache.log will be flooded with details about any request that is being passed to squidguard. I believe that this should be a start point that will show you if squid is sending the request to squidguard and how squidguard answers. If you want more help share with a paste the current squid.conf and squidguard.conf. This way even if it’s not related directly to squid we can see if there is a hole in the setup you don’t see yet. Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: mailto:eliezer@xxxxxxxxxxxx From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Sameh Onaissi Sent: Wednesday, December 21, 2016 7:14 PM To: mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Bypassed Proxy Hello all, I got a transparent squid installed on Ubuntu 16.04 Using squid guard, I am blocking certain websites, including youtube. Anytime a user tries accessing it, he/she is redirected to an access denied page. Except for ONE user! One user is somehow, able to access you tube through squid! That IP is not on the exempt list, and has no special configurations. access.log: 1482339083.228 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443 - HIER_NONE/- text/html 1482339083.324 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443 - HIER_NONE/- text/html 1482339083.331 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443 - HIER_NONE/- text/html 1482339083.422 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443 - HIER_NONE/- text/html 1482339083.436 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443 - HIER_NONE/- text/html 1482339083.517 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443 - HIER_NONE/- text/html 1482339086.251 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443 - HIER_NONE/- text/html Any other user tries and gets: 1482339588.002 350 10.0.0.40 TCP_MISS/200 611 GET https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html That is the redirect html page. My deny list where youtube is: var/lib/squidguard/db/deny/urls has http://www.youtube.com var/lib/squidguard/db/deny/domains has http://youtube.com Any idea to how he is doing it? I can add a rule to specifically deny 10.0.0.162, but I want to know how he is doing it to prevent it for others. Also this is a dynamic IP. Thank you, Sam _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
