________________________________ From: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > > You may be conflating two very different goals: > > A) Understanding why Squid does X. > B) Configuring Squid to do what you want. > > My response was focused on the former. Once you understand, you can > probably accomplish the latter on your own. You are absolutely right. I'd like to uderstand how Squid *access rules work. To put it bluntly, http_access and http_reply_access rules are processed one after another as they appear in squid.conf. It "exits" the sequence (ie. stops going through each http_*access rule) as soon as it hits a match. The http_*access rules take on ACLs which can be AND'ed if the conditions are in one line, or OR'ed if they are on seperate lines. eg. http_access allow goodAgents !baddomains (AND) #-- http_access allow goodAgents http_access deny baddomains (OR) >> My goal is to deny all client traffic from browsers that DO NOT have >> a specific user-agent string. So this is a negated statement. > > There is no need to use negation for that. If the goodAgents ACL matches > requests with "specific user-agent string", then you can do this: > > http_access allow goodAgents > http_access deny all > > As you can see, there is no ACL negation or negative ACLs. I understand your example, but unfortunately, I was looking for something else. It's my mistake because I started this thread with basic, stripped-down examples without giving details on what I need to achieve. I wasn't doing ACL negation just for kicks. It's because I need to integrate it into a broader setup. Your example "works", but Squid will match "goodAgent" in your first line, and exit without going on. I require to apply other rules afterwards. In other words, my intention was to first filter based on the UA string, and block all except eg. MyAllowedUAstring. From then on, I need to apply the rest of my rules. >> clientAccessCheckDone: The request CONNECT 89.16.167.134:443 is DENIED; last ACL checked: allowed_useragent > > As you can see, your CONNECT request was denied (because it lacks the > User-Agent header). The rest does not matter much (for now), but Squid > bumps the connection to serve the error page in response to the first > bumped HTTP request (regardless of what that first bumped HTTP request > looks like). So... What is the security implication of allowing all CONNECT messages to port 443? The following acl + access rules I set up actually "work" as in my previous "example 2". I simply allowed the CONNECT messages. Here's most of my squid.conf file: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl explicit myportname 3128 acl intercepted myportname 3129 acl interceptedssl myportname 3130 http_port 3128 http_port 3129 tproxy https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem sslflags=NO_DEFAULT_CA sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB sslcrtd_children 40 startup=20 idle=10 cache_dir diskd /var/cache/squid 32 16 256 external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy-server1.mydomain.org@xxxxxxxxxxxx auth_param negotiate children 60 auth_param negotiate keep_alive on acl localnet src 10.0.0.0/8 acl localnet src 192.168.0.0/16 acl ORG_all proxy_auth REQUIRED external_acl_type bllookup ttl=86400 negative_ttl=86400 children-max=80 children-startup=10 children-idle=3 concurrency=8 %PROTO %DST %PORT %PATH /opt/custom/scripts/run/scripts/firewall/ext_sql_blwl_acl.pl --table=shallalist_bl --categories=adv,aggressive,alcohol,anonvpn,automobile_bikes,automobile_boats,automobile_cars,automobile_planes,chat,costtraps,dating,drugs,dynamic,finance_insurance,finance_moneylending,finance_other,finance_realestate,finance_trading,fortunetelling,forum,gamble,hacking,hobby_cooking,hobby_games-misc,hobby_games-online,hobby_gardening,hobby_pets,homestyle,imagehosting,isp,jobsearch,military,models,movies,music,podcasts,politics,porn,radiotv,recreation_humor,recreation_martialarts,recreation_restaurants,recreation_sports,recreation_travel,recreation_wellness,redirector,religion,remotecontrol,ringtones,science_astronomy,science_chemistry,sex_education,sex_lingerie,shopping,socialnet,spyware,tracker,updatesites,urlshortener,violence,warez,weapons,webphone,webradio,webtv acl allowed_ips src "/opt/custom/proxy-settings/allowed.ips" acl allowed_extra1_ips src "/opt/custom/proxy-settings/allowed.extra1.ips" acl allowed_groups external nt_group "/opt/custom/proxy-settings/allowed.groups" acl allowed_domains dstdomain "/opt/custom/proxy-settings/allowed.domains" acl allowed_domains_filetypes dstdomain "/opt/custom/proxy-settings/allowed.domains.filetypes" acl allowed_domains_mimetypes dstdomain "/opt/custom/proxy-settings/allowed.domains.mimetypes" acl denied_domains dstdomain -i "/opt/custom/proxy-settings/denied.domains" acl denied_extra1_domains dstdomain -i "/opt/custom/proxy-settings/denied.extra1.domains" acl denied_ads url_regex "/opt/custom/proxy-settings/denied.ads" acl denied_filetypes urlpath_regex -i "/opt/custom/proxy-settings/denied.filetypes" acl denied_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes" acl denied_extra1_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes" acl denied_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes" acl denied_extra1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes" acl denied_restricted1_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes" acl denied_restricted1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes" acl allowed_restricted1_domains dstdomain -i "/opt/custom/proxy-settings/allowed.restricted1.domains" acl allowed_restricted1_ips dst "/opt/custom/proxy-settings/allowed.restricted1.ips" acl restricted_ips src "/opt/custom/proxy-settings/restricted.ips" acl restricted_groups external nt_group "/opt/custom/proxy-settings/restricted.groups" acl restricted_domains dstdomain "/opt/custom/proxy-settings/restricted.domains" acl bl_lookup external bllookup acl denied_urlshorteners dstdomain -i "/etc/squidGuard/db/HMANshallalist/urlshortener/domains" acl allowed_useragent browser MyAllowedUAstring http_access deny explicit !ORG_all http_access deny explicit SSL_ports http_access deny intercepted !localnet http_access deny interceptedssl !localnet http_access allow CONNECT SSL_ports http_access deny !allowed_useragent deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent allowed_useragent http_access allow localnet !restricted_ips allowed_domains http_access allow localnet !restricted_ips allowed_ips http_reply_access allow localnet !restricted_ips allowed_ips http_reply_access allow localnet !restricted_ips allowed_domains http_access allow restricted_ips restricted_domains http_access deny restricted_ips http_access deny !allowed_ips denied_urlshorteners deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_urlshorteners denied_urlshorteners http_access allow denied_restricted1_mimetypes_req allowed_restricted1_domains http_access allow denied_restricted1_mimetypes_req allowed_restricted1_ips http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_domains http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_ips http_access allow denied_extra1_mimetypes_req allowed_extra1_ips denied_extra1_domains http_reply_access allow denied_extra1_mimetypes_rep allowed_extra1_ips denied_extra1_domains http_access deny denied_restricted1_mimetypes_req http_reply_access deny denied_restricted1_mimetypes_rep deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_restricted1_mimetypes_rep deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_restricted1_mimetypes_req http_access deny denied_extra1_mimetypes_req http_reply_access deny denied_extra1_mimetypes_rep deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_extra1_mimetypes_req deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_extra1_mimetypes_rep http_access deny !allowed_ips denied_domains deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_domains denied_domains http_access allow allowed_extra1_ips denied_extra1_domains http_access deny denied_extra1_domains deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_extra1_domains denied_extra1_domains http_access deny denied_filetypes !allowed_domains_filetypes http_reply_access deny denied_filetypes !allowed_domains_filetypes deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_filetypes denied_filetypes http_access deny denied_mimetypes_req !allowed_domains_mimetypes http_reply_access deny denied_mimetypes_rep !allowed_domains_mimetypes deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_mimetypes_req deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_mimetypes_rep http_access allow localnet bl_lookup http_access allow localhost http_access deny all I'd greatly appreciate your input on this. Hoping to understand Squid logic someday. Thanks, Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
