Hi Amos
Thanks for your response and suggestions and I will incorporate your inputs in the configuration.
Please find the below contents of denylist as I am unable to attach as a document due to restrictions.
.hotmail.com
*.appex-rf.msn.com
*.itunes.apple.com
auth.gfx.ms
broadcast.skype.com
c.bing.com
c.live.com
cl2.apple.com
client.hip.live.com
d.docs.live.net
directory.services.live.com
docs.live.net
en-us.appex-rf.msn.com
foodanddrink.services.appex.bing.com
login.live.com
mail.google.com
ms.tific.com
odcsm.officeapps.live.com
officeimg.vo.msecnd.net
outlook.uservoice.com
p100-sandbox.itunes.apple.com
partnerservices.getmicrosoftkey.com
protection.office.com
roaming.officeapps.live.com
sas.office.microsoft.com
sdk.hockeyapp.net
secure.meetup.com
signup.live.com
social.yahooapis.com
view.atdmt.com
watson.telemetry.microsoft.com
weather.tile.appex.bing.com
www.dropbox.com
www.googleapis.com
www.wunderlist.com
*.appex.bing.com
*.broadcast.skype.com
*.mail.protection.outlook.com
*.protection.office.com
*.protection.outlook.com
*.skype.com
*.skypeforbusiness.com
a.wunderlist.com
account.live.com
accounts.google.com
acompli.helpshift.com
api.diagnostics.office.com
api.dropboxapi.com
api.login.yahoo.com
api.meetup.com
app.adjust.com
app.box.com
bit.ly, www.acompli.com
by.uservoice.com
data.flurry.com
play.google.com
rink.hockeyapp.net
www.evernote.com
www.google-analytics.com
www.youtube.com
*.facebook.com
*.yahoo.com
*.msn.com
clients4.google.com
www.reddit.com
Please find my responses and queries as well.
1. Instead of dstdomain , I tried the url_regex as defined below and even it is not blocking the sites through the proxy.
Kindly let me know how to allow and block the sites ?
acl allowedurl url_regex /etc/squid/allowed_url.txt
Kindly let me know how to allow and block the sites ?
acl allowedurl url_regex /etc/squid/allowed_url.txt
acl denylist url_regex /etc/squid/denylist.txt
2. I have defined only two ports 80 and 443 and removed all other ports. May I know whether the below order must be used since you stated the below "All custom rules should follow those." Kindly let me know whether the below order is correct or not.
http_access deny !Safe_ports
http_access deny all
http_access deny !Safe_ports
http_access deny denylist
http_access allow allowedurl
http_access allow localhost manager
http_access allow localhost
http_access allow localnet
http_access deny manager
Regards
Arjun K.
On Tuesday, 5 May, 2020, 07:02:46 pm IST, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 6/05/20 12:58 am, Arjun K wrote:
> Hi All
>
> Can any one help on the below issue.
> I tried changing the order of deny and allow acl but it did not yield
> any result.
>
What is the contents of the denylist.txt file?
This usually happens when things in there are not the right dstdomain
syntax.
> Regards
> Arjun K
>
>
> On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <email_arjun@xxxxxxxxx>
> wrote:
>
>
> Hi All
>
> The below is the configuration defined in the proxy server.
> The issue is that the proxy is not blocking the websites mentioned in a
> file named denylist.txt.
> Kindly let me know what needs to be changed to block the websites.
>
>
>
> ####IP Ranges allowed to use proxy
> acl localnet src 10.196.0.0/16
> acl localnet src 10.197.0.0/16
> acl localnet src 10.198.0.0/16
> acl localnet src 10.199.0.0/16
> acl localnet src 10.200.0.0/16
These can be simplified:
acl localnet 10.196.0.0-10.200.0.0/16
>
> ####Allowed and Denied URLs
> acl allowedurl dstdomain /etc/squid/allowed_url.txt
dstdomain and URL are different things. The name of this ACL is deceptive.
> acl denylist dstdomain /etc/squid/denylist.txt
>
...
You are missing the DoS protection checks:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
All custom rules should follow those.
> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
>
> http_access allow allowedurl
> http_access deny denylist
> http_access allow localhost manager
> http_access allow localhost
> http_access allow localnet
> http_access deny manager
> http_access deny !Safe_ports
The manager and Safe_Ports checks are useless down here. Their entire
purpose is to prevent unauthorized access to dangerous protocols and
security sensitive proxy management API.
> http_access deny all
>
...
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
No refresh_pattern following this line will ever match. The "." pattern
matches every URL possible. Order is important.
> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
> 80% 43200 reload-into-ims
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
>
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
> Hi All
>
> Can any one help on the below issue.
> I tried changing the order of deny and allow acl but it did not yield
> any result.
>
What is the contents of the denylist.txt file?
This usually happens when things in there are not the right dstdomain
syntax.
> Regards
> Arjun K
>
>
> On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <email_arjun@xxxxxxxxx>
> wrote:
>
>
> Hi All
>
> The below is the configuration defined in the proxy server.
> The issue is that the proxy is not blocking the websites mentioned in a
> file named denylist.txt.
> Kindly let me know what needs to be changed to block the websites.
>
>
>
> ####IP Ranges allowed to use proxy
> acl localnet src 10.196.0.0/16
> acl localnet src 10.197.0.0/16
> acl localnet src 10.198.0.0/16
> acl localnet src 10.199.0.0/16
> acl localnet src 10.200.0.0/16
These can be simplified:
acl localnet 10.196.0.0-10.200.0.0/16
>
> ####Allowed and Denied URLs
> acl allowedurl dstdomain /etc/squid/allowed_url.txt
dstdomain and URL are different things. The name of this ACL is deceptive.
> acl denylist dstdomain /etc/squid/denylist.txt
>
...
You are missing the DoS protection checks:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
All custom rules should follow those.
> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
>
> http_access allow allowedurl
> http_access deny denylist
> http_access allow localhost manager
> http_access allow localhost
> http_access allow localnet
> http_access deny manager
> http_access deny !Safe_ports
The manager and Safe_Ports checks are useless down here. Their entire
purpose is to prevent unauthorized access to dangerous protocols and
security sensitive proxy management API.
> http_access deny all
>
...
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
No refresh_pattern following this line will ever match. The "." pattern
matches every URL possible. Order is important.
> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
> 80% 43200 reload-into-ims
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
>
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
