On 28/06/18 08:21, Donald Muller wrote: > Hi, > > > > Don’t know if what I want to do is even possible but here is the > situation. I have Squid set up on my QNAP NAS. It is running fine. I am > using it with the blacklist and sites get blocked as they should. > However there a number of sites that I do not want blacklisted so I > thought I’d set up a whitelist for them. What I did was to add an > include statement to the squid.conf file. The included file has the > directives for the whitelist. > > > > Here are my config files. > > > > > > Squid.conf > > > > # The user name and group name Squid will operate as > > cache_effective_user httpdusr > The above username requires read access to the included file *and* any other files which it instructs Squid to load. That access may be granted though group access to the file. IF the above member is part of a permitted group. Be careful, Do Not assign Squid into root group nor any equivalent on the machine. ... > > > acl allnet src all # All Net > Why? you are not doing anything like deny_info which might need "allnet" Using the built-in "all" ACL would be simpler. > > include /usr/local/squid/etc/acl.conf > > include > /share/CACHEDEV1_DATA/UserData/Configs/Proxy/whitelist.conf > ß-------- I added this line > The only thing to be aware of is order dependence. Squid loads and operates as if the contents of these files were copy-and-pasted exactly at the line where the include directive is. That means any directives like http_access which contain order-specific behaviours retain those behaviours between files in the specific order of the include lines. So, if acl.conf contains "http_access deny blacklist" and whitelist.conf contains "http_access allow whitelist" then: a) blacklist is *still* denying requests before whitelist is even tested. b) whitelist.conf is (only) adding a bypass of all the default/recommended squid.conf security lines I'm pointing out (b) because you should really only place custom rules (especially http_access related ones) at the point in squid.conf labeled "INSERT YOUR OWN RULE(S) HERE". You have not stated whether you are trying to whitelist against entries in the blakclist, or against the proxies default security rules to prevent unsafe behaviour (ie spam email using the proxy as a relay, non-HTTPS tuynnels). If you want the former; then the includes need to be done the other way around (whitelist.conf include first, then acl.conf). If you want the latter; then you have it now. ... > > include /usr/local/squid/etc/acl_http.conf > > #http_access allow allnet ncsa_users > > #http_access allow allnet group_administrators > > #http_access allow allnet nas_user NP: Placing "all" on a line with other ACL checks is a hack to prevent authentication process being initiated by lines if the credentials are known but not allowed certain access. It only works if the "all" is placed at the RHS end of lines. So "allnet" is pointless on the above. > > http_access allow allnet > > #http_access deny allnet > > # And finally deny all other access to this proxy > But "allnet" was defined as "all". Which overrides this safety net config line and makes your proxy an open-proxy by default. That would be clearer if you had used "all" instead of custom "allnet". > # > > mime_table /usr/local/squid/etc/mime.conf > > pid_filename /usr/local/squid/var/run/squid.pid > > diskd_program /usr/local/squid/libexec/diskd > > unlinkd_program /usr/local/squid/libexec/unlinkd > > icon_directory /usr/local/squid/share/icons > > err_page_stylesheet /usr/local/squid/etc/errorpage.css None of the above lines should be necessary. If you are custom building Squid it should be built with ./configure options setting defaults appropriate for the OS its going to run on. You only need these squid.conf directives if you have one or a few files in really weird placement unusual for the OS. Same for any directive which is setting default values. You can simplify the config a huge amount by removing them entirely these days. (Squid-2.x needed them, Squid-3.x does not). > whitelist.conf > > > > acl whitelist dstdomain > "/share/CACHEDEV1_DATA/UserData/Configs/Proxy/whitelist.txt" > > http_access allow whitelist > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users