Search squid archive

Re: Bypassed Proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Try to see what happens when you change and simplify squidguard conf(after a backup) to a one default which blocks youtube.
This way you would be able to minimize the options from squidguard to squid or backwards.
Try to follow the cache.log and see if you see anything about anything which mentions "youtube".

The options for the issue are one of two:
Squidguard is configured wrong or has a bug
Squid is configured wrong or has a bug

I cannot say that squid is 100% bullet proof but first analyze the logs to see what happens and if you need to block youtube specifically I would do it in the squid level rather then in squidguard level since it's a very simple and tiny and static rule.
And leaving the beauty of the splash page and just block add the next lines to the beginning of squid.conf:
#YT DOMS
acl ytdoms dstdomain .youtube.com .ytimg.com .googlevideo.com
acl ytallowedusers src 10.0.0.1/32 10.0.0.2/32
http_access deny ytdoms !ytallowedusers
##END OF ADDITION

If you wish to allow a specific user to access these domains just add them to the ytallowedusers acl.
Use squidguard only for things which needs more frequent updates.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx


From: Sameh Onaissi [mailto:sameh.onaissi@xxxxxxxxx] 
Sent: Thursday, December 22, 2016 12:20 AM
To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  Bypassed Proxy

HI Eliezer, 


squid.conf: http://pastebin.com/7Nusciiu

sqiudguard.conf: http://pastebin.com/DiRgD23c


I think the client is using a Google chrome extension: https://chrome.google.com/webstore/detail/hotspot-shield-free-vpn-p/nlbejmccbhkncgokjcmghpfloaajcffj?hl=en

(can’t get cache logs now as client is disconnected)




On Dec 21, 2016, at 1:43 PM, Eliezer Croitoru <mailto:eliezer@xxxxxxxxxxxx> wrote:

How does squid.conf looks now?
It’s probably a typo or some settings exception.
You need to debug and check first if squidguard receives the request details
and what it does with it.
To see the relevant details you will need to use squid debug_options:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

Specifically section 61.
You should add to squid.conf the line
debug_options ALL,1 61,6

And your cache.log will be flooded with details about any request that is
being passed to squidguard.
I believe that this should be a start point that will show you if squid is
sending the request to squidguard and how squidguard answers.
If you want more help share with a paste the current squid.conf and
squidguard.conf.
This way even if it’s not related directly to squid we can see if there is a
hole in the setup you don’t see yet.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:eliezer@xxxxxxxxxxxx


From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On
Behalf Of Sameh Onaissi
Sent: Wednesday, December 21, 2016 7:14 PM
To: mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject:  Bypassed Proxy

Hello all, 

I got a transparent squid installed on Ubuntu 16.04

Using squid guard, I am blocking certain websites, including youtube.

Anytime a user tries accessing it, he/she is redirected to an access denied
page.

Except for ONE user!

One user is somehow, able to access you tube through squid!
That IP is not on the exempt list, and has no special configurations.

access.log:

1482339083.228      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.324      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.331      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.422      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.436      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.517      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339086.251      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html


Any other user tries and gets:

1482339588.002    350 10.0.0.40 TCP_MISS/200 611 GET
https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html

That is the redirect html page.

My deny list where youtube is:

var/lib/squidguard/db/deny/urls has http://www.youtube.com
var/lib/squidguard/db/deny/domains has http://youtube.com


Any idea to how he is doing it?

I can add a rule to specifically deny 10.0.0.162, but I want to know how he
is doing it to prevent it for others. Also this is a dynamic IP.

Thank you,
Sam





_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux