Still not working. > -----Original Message----- > From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf > Of Amos Jeffries > Sent: Wednesday, June 27, 2018 4:59 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Setting up a Whitelist > > On 28/06/18 08:21, Donald Muller wrote: > > Hi, > > > > > > > > Don’t know if what I want to do is even possible but here is the > > situation. I have Squid set up on my QNAP NAS. It is running fine. I > > am using it with the blacklist and sites get blocked as they should. > > However there a number of sites that I do not want blacklisted so I > > thought I’d set up a whitelist for them. What I did was to add an > > include statement to the squid.conf file. The included file has the > > directives for the whitelist. > > > > > > > > Here are my config files. > > > > > > > > > > > > Squid.conf > > > > > > > > # The user name and group name Squid will operate as > > > > cache_effective_user httpdusr > > > > The above username requires read access to the included file *and* any > other files which it instructs Squid to load. > > That access may be granted though group access to the file. IF the above > member is part of a permitted group. Be careful, Do Not assign Squid into > root group nor any equivalent on the machine. > Good catch. Owner/group of whitelist files changed. > > ... > > > > > > acl allnet src all # All Net > > > > Why? > you are not doing anything like deny_info which might need "allnet" > > Using the built-in "all" ACL would be simpler. > I did not build the Squid package. It was built and distributed by QNAP. > > > > include /usr/local/squid/etc/acl.conf > > > > include > > /share/CACHEDEV1_DATA/UserData/Configs/Proxy/whitelist.conf > > ß-------- I added this line > > > > The only thing to be aware of is order dependence. Squid loads and operates > as if the contents of these files were copy-and-pasted exactly at the line > where the include directive is. > > That means any directives like http_access which contain order-specific > behaviours retain those behaviours between files in the specific order of the > include lines. > > So, if acl.conf contains "http_access deny blacklist" and whitelist.conf > contains "http_access allow whitelist" then: > a) blacklist is *still* denying requests before whitelist is even tested. > b) whitelist.conf is (only) adding a bypass of all the default/recommended > squid.conf security lines acl.conf is empty > > I'm pointing out (b) because you should really only place custom rules > (especially http_access related ones) at the point in squid.conf labeled > "INSERT YOUR OWN RULE(S) HERE". > > You have not stated whether you are trying to whitelist against entries in the > blakclist, or against the proxies default security rules to prevent unsafe > behaviour (ie spam email using the proxy as a relay, non-HTTPS tuynnels). > If you want the former; then the includes need to be done the other way > around (whitelist.conf include first, then acl.conf). > If you want the latter; then you have it now. > > Sorry. I am trying to whitelist against sites that are in the blacklist from squidguard.mesd.k12.or.us/blacklists.tgz. So where should my whitelist.conf be? I tried it after "INSERT YOUR OWN RULE(S) HERE" and also at the end of the squid.conf file. > ... > > > > > include /usr/local/squid/etc/acl_http.conf > > > > #http_access allow allnet ncsa_users > > > > #http_access allow allnet group_administrators > > > > #http_access allow allnet nas_user > > NP: Placing "all" on a line with other ACL checks is a hack to prevent > authentication process being initiated by lines if the credentials are known > but not allowed certain access. It only works if the "all" is placed at the RHS > end of lines. > So "allnet" is pointless on the above. > It is also commented out. > > > > > http_access allow allnet > > > > #http_access deny allnet > > > > # And finally deny all other access to this proxy > > > > But "allnet" was defined as "all". Which overrides this safety net config line > and makes your proxy an open-proxy by default. > That would be clearer if you had used "all" instead of custom "allnet". > > > > > # > > > > mime_table /usr/local/squid/etc/mime.conf > > > > pid_filename /usr/local/squid/var/run/squid.pid > > > > diskd_program /usr/local/squid/libexec/diskd > > > > unlinkd_program /usr/local/squid/libexec/unlinkd > > > > icon_directory /usr/local/squid/share/icons > > > > err_page_stylesheet /usr/local/squid/etc/errorpage.css > > None of the above lines should be necessary. If you are custom building > Squid it should be built with ./configure options setting defaults appropriate > for the OS its going to run on. > You only need these squid.conf directives if you have one or a few files in > really weird placement unusual for the OS. > > Same for any directive which is setting default values. You can simplify the > config a huge amount by removing them entirely these days. > (Squid-2.x needed them, Squid-3.x does not). > I did not build the Squid package. It was built and distributed by QNAP. > > > whitelist.conf > > > > > > > > acl whitelist dstdomain > > "/share/CACHEDEV1_DATA/UserData/Configs/Proxy/whitelist.txt" > > > > http_access allow whitelist > > > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
