On 24/02/18 04:45, erdosain9 wrote: > Hi to all. > Im trying to block some web to a ip group. > > [root@squid ips]# cat i-restringidos.lst > 192.168.1.42 > 192.168.1.43 > 192.168.1.44 > 192.168.1.45 > 192.168.1.99 > 192.168.1.50 > 192.168.1.128 > > This same ip group has access to all internet. > [root@squid ips]# cat prensa_isla.lst > 192.168.1.42 > 192.168.1.43 > 192.168.1.44 > 192.168.1.45 > 192.168.1.99 > 192.168.1.50 > 192.168.1.128 If they are really the same, then it is better to use one ACL name instead of two like that. Using one will help you see more clearly what your config is actually doing for those IPs, and also make it impossible to accidentally configure something that can never happen. Like "i-restringidos !prensa_isla". > > This is what i want to block > [root@squid listas]# cat restringidos.lst > .whatsapp.com > .facebook.com > .instagram.com > .twitter.com > > > (so i have this 2 acl whit the same ip, one for deny, the other to allow. > > So this is my config... and it's not working. Some help?? Thanks! > That is a very complicated setup you have. Below are some simplifications you can make to shorten it and make it easier to read what is going on... > > http_access allow localhost manager > http_access deny manager > http_access deny to_localhost > > http_access deny i-restringidos restringidos The above line does exactly what you are asking for. The only problem that could happen is that the clients in i-restringidos are not doing what you think they are. Perhapse they are actually: a) not using your proxy to contact those sites, and/or b) using a protocol that skips through the proxy. For example; Using SPDY, QUICK, WebSockets etc. instead of HTTP. and/or, c) using a domain name (or raw IP address) not on your list. For example most of Facebook traffic usually comes from fbcdn.net, "Facebook.com" is just the brand name and front page(s). > http_access allow prensa-isla > http_access allow red6 > http_access allow red2 All the below lines have !dominios_denegados. So you can add this here: http_access deny dominios_denegados ... then remove all the "!dominios_denegados". > http_access allow logistica !multimedia !peligrosos > http_access allow adminis All the below lines have "!peligrosos". So you can do the same again: http_access deny peligrosos And again with !multimedia; ... http_access deny multimedia .. leaving the remainder looking like this: http_access allow institucionales http_access allow patriysumi http_access allow proyecto http_access allow rrhh http_access allow programas_y_activ http_access allow auditoria http_access allow legales http_access allow proteccion http_access allow oe http_access deny all > > refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store > ignore-private The ignore-no-cache parameter no longer exists. Please remove. > > request_header_access From deny all > request_header_access Server deny all > request_header_access WWW-Authenticate deny all > request_header_access Link deny all > request_header_access Cache-Control deny all > request_header_access Proxy-Connection deny all > request_header_access X-Cache deny all > request_header_access X-Cache-Lookup deny all > request_header_access Via deny all > request_header_access X-Forwarded-For deny all > request_header_access Pragma deny all > request_header_access Keep-Alive deny all The Server, X-Cache, X-Cache-Lookup headers are not request headers. Those lines are pointless. The Proxy-Connection header is obsolete and automatically stripped by all current Squid. No need to do anything for it either. The Keep-Alive header is hop-by-hop ad stripped by Squid without havign anyeffect. The Pragma header is mandatory for HTTP proxies to ignore except in the rare case of "Pragma:no-cache". Current Squid are HTTP/1.1 so even that is even more rarely mattering. ALmost all traffic will ignore this header. Also, these directives do not in any way affect how your Squid interprets those headers. All it does is erase them from traffic going to servers. Which in the case of Pragma is mandatory to pass on exactly as received. Right now you are breaking all HTTP/1.0 caches across the Internet between your proxy and the origin server. > > delay_pools 15 > #Limitar Youtube > delay_class 1 2 > delay_parameters 1 2000000/2000000 100000/1000000 Two things about these delay rules: 1) Youtube and Facebook are different companies and services. So traffic going to YouTube cannot simlultaneously be going to Facebook. That makes the Facebook part of the check pointless. 2) All of the below lines have "youtube !facebook". Like with http_access simplification you can make these rules vastly simpler by checking for the forbidden property and rejecting based on that before any allow rules. So, combining the two details mentioned above. You can make this your first rule: delay_access 1 deny !youtube ... then remove the "youtube !facebook" part from all the below lines: > delay_access 1 allow adminis youtube !facebook > delay_access 1 allow logistica youtube !facebook > delay_access 1 allow institucionales youtube !facebook > delay_access 1 allow patriysumi youtube !facebook > delay_access 1 allow rrhh youtube !facebook > delay_access 1 allow proyecto youtube !facebook > delay_access 1 allow programas_y_activ youtube !facebook > delay_access 1 allow auditoria youtube !facebook > delay_access 1 allow legales youtube !facebook > delay_access 1 allow oe youtube !facebook > delay_access 1 allow proteccion youtube !facebook > delay_access 1 deny all Then you get to decide, are there any clients allowed to use the proxy which are not in those allow rules? If the answer is yes, you can replace all of those allow lines with "allow all" and remove the "deny all" line. > > #Limitar Facebook > delay_class 2 2 > delay_parameters 2 2000000/2000000 100000/1000000 > delay_access 2 allow adminis facebook !youtube > delay_access 2 allow logistica facebook !youtube > delay_access 2 allow institucionales facebook !youtube > delay_access 2 allow patriysumi facebook !youtube > delay_access 2 allow rrhh facebook !youtube > delay_access 2 allow proyecto facebook !youtube > delay_access 2 allow programas_y_activ facebook !youtube > delay_access 2 allow auditoria facebook !youtube > delay_access 2 allow legales facebook !youtube > delay_access 2 allow oe facebook !youtube > delay_access 2 allow proteccion facebook !youtube > delay_access 2 deny all Same as with pool #1, but this time make your first line: delay_access 2 deny facebook HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
