On 6/05/20 12:58 am, Arjun K wrote: > Hi All > > Can any one help on the below issue. > I tried changing the order of deny and allow acl but it did not yield > any result. > What is the contents of the denylist.txt file? This usually happens when things in there are not the right dstdomain syntax. > Regards > Arjun K > > > On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <email_arjun@xxxxxxxxx> > wrote: > > > Hi All > > The below is the configuration defined in the proxy server. > The issue is that the proxy is not blocking the websites mentioned in a > file named denylist.txt. > Kindly let me know what needs to be changed to block the websites. > > > > ####IP Ranges allowed to use proxy > acl localnet src 10.196.0.0/16 > acl localnet src 10.197.0.0/16 > acl localnet src 10.198.0.0/16 > acl localnet src 10.199.0.0/16 > acl localnet src 10.200.0.0/16 These can be simplified: acl localnet 10.196.0.0-10.200.0.0/16 > > ####Allowed and Denied URLs > acl allowedurl dstdomain /etc/squid/allowed_url.txt dstdomain and URL are different things. The name of this ACL is deceptive. > acl denylist dstdomain /etc/squid/denylist.txt > ... You are missing the DoS protection checks: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports All custom rules should follow those. > http_access allow CONNECT wuCONNECT localnet > http_access allow windowsupdate localnet > > acl Safe_ports port 80 # http > acl Safe_ports port 443 # https > acl CONNECT method CONNECT > > http_access allow allowedurl > http_access deny denylist > http_access allow localhost manager > http_access allow localhost > http_access allow localnet > http_access deny manager > http_access deny !Safe_ports The manager and Safe_Ports checks are useless down here. Their entire purpose is to prevent unauthorized access to dangerous protocols and security sensitive proxy management API. > http_access deny all > ... > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 No refresh_pattern following this line will ever match. The "." pattern matches every URL possible. Order is important. > refresh_pattern -i > windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 > 80% 43200 reload-into-ims > refresh_pattern -i > microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% > 43200 reload-into-ims > refresh_pattern -i > windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% > 43200 reload-into-ims > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
