Search squid archive

Re: can't block streaming

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

It is not clear what exactly you want to achieve.
Block everything from youtube ?

Amos told you that squidGuard is not maintained for many years but forgot to mention that ufdbGuard does the same thing and has regular updates.
ufdbGuard has a feature to block a set of Youtube videos identified by the video ID and automagically block all related images too.

Marcus


On 03/11/17 07:42, Vacheslav wrote:



-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries
Sent: Wednesday, November 1, 2017 3:52 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  can't block streaming

On 01/11/17 21:54, Vacheslav wrote:

Thanks for your time,

-----Original Message-----
From: Amos Jeffries
Sent: Tuesday, October 31, 2017 5:45 PM

On 31/10/17 22:05, Vacheslav wrote:

Peace,

I tired searching and debugging but I couldn’t find a solution,
whatever I do youtube keeps working.

Here is my configuration:

...

# Media Streams

## MediaPlayer MMS Protocol

acl media rep_mime_type mms

acl mediapr url_regex dvrplayer mediastream ^mms://

## (Squid does not yet handle the URI as a known proto type.)



Unsupported URI schemes should result in the client receiving an HTTP
error page instead of Squid handling the traffic.



Which also explains your problems: the Browser is either not using
the proxy at all for this traffic, or sending the traffic through a
CONNECT tunnel that is allowed to be created for other reasons.


Well I tried unchecking automatically detect proxy settings. There are
2 network cards on the squid, one with a gateway, the same  is used as
the proxy ip port 3128 and youtube is not in the bypass proxylist. I
tried using opera, the same result.



Things like YT do not have to be on any bypass list to avoid the proxy.
It just has to have a URL scheme for some protocol the browser detects as not able to go through the HTTP-only proxy. eg "mms:"



Since mms:// means a non-HTTP protocol and it is not commonly supported by HTTP proxies, the browsers usually send it directly >to the mms protocol port(s) AFAIK.


Well I tired switching the ip of the pc to one that can't do http and https at all without proxy. I tested it without proxy enabled and internet sites don't open, I switched the proxy back on and youtube works when it is forbidden.



What do you mean by a connect tunnel?



Things like this:


"
   >CONNECT r1---sn-ntqe6n76.googlevideo.com:443 HTTP/1.1

   >... non-HTTP data stream.
"


Which tells Squid to open a TCP connection to the named server and port.

That is how a YouTube video I'm watching right now is currently going through a test Squid. The browser of course shows it as a GET request for some https: URI, but the proxy only sees that CONNECT.

To see what is inside that particular port 443 tunnel one has to use SSL_Bump feature to decrypt the HTTPS protocol that is supposed to be on that port.



...


# We strongly recommend the following be uncommented to protect
innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

# Deny all blocked extension

error_directory /usr/share/squid/errors/en

deny_info ERR_BLOCKED_FILES blockfiles

http_access deny blockfiles

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS




Please read the above line, and consider all the custom rules you
placed above it.

I moved the below text to under
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

http_access deny mediapr
http_access deny mediapr1
http_access deny mediapr2
http_access deny mediapr3
http_reply_access deny media
...


#url_rewrite_program /usr/sbin/squidGuard

#url_rewrite_children 5

#debug_options ALL,1 33,2 28,9

And where must I place the before last 2 lines in order for squid
guard to work?




Right there where they are in your config will do.



What do you expect SquidGuard to do?


At first, I thought squid guard is needed to block file extension,
then I discovered that it blocks urls so it is not a bad idea to block
porn sites and porn search terms.



Ah, I see. Well, if you are new to it I advise to try using squid.conf ACLs first. Sending things to helpers is quite I/O and memory intensive and most of what SG does can be done better by modern Squid.


Also, SquidGuard specifically is very outdated software and no longer maintained. If you have to do access control in a helper at all it is better to use the external_acl_type interface and other helpers that meet the more specific need.

Well then, I'll go with your advice and not use prehistoric software.




If Squid itself cannot identify any URLs with "mms://" scheme there
is no hope of SG being passed the non-existent URLs.


This I didn't digest!




See above with the CONNECT example. *If* the request is actually going through the proxy, the URI as far as Squid can see would be something like "r1---sn-ntqe6n76.googlevideo.com:443", or maybe just a raw-IP and port.


So what Squid can pass the URI helper is only that origin-form URI, not the encrypted (if HTTPS) or tunneled (if non-HTTP/HTTPS) absolute-URI stuff where the scheme is.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux