On 28/08/20 3:40 am, Luis Mario Niedas Hernández wrote: > Hello. I need restrict some site by time, but i am not doing well. > This is my squid.conf. Please help me to fix the problem. I don't know > why it is not working. > It is not clear what your problem actually is. An educated guess tells me that you have missed two important details: 1) your http_access lines are just a long list of allow, allow, allow. Squid has no reason to deny. To resolve this you need to write out your policy(s) in the form of denials. Allowing only the good traffic that remains. For best performance sort the lines by ACL checking speed and how much traffic they can drop. The faster it can identify and deny bad traffic the more speed can go towards the good traffic. 2) those FB and YT websites use HTTPS and http_access controls only apply when an HTTPS connection is established. The TLS connection itself may remain open and continue to be used indefinitely. You can use the client_lifetime directive to shorten the time CONNECT tunnels are allowed to remain in use. For your specific case I would set it to something like 5 minutes. Browsers can auto-recover so this length should not be visible to clients, but you will want to test that to confirm what is good for your needs. There are several other things about your config file that indicate extremely outdated practices or Squid version. Below is a free audit report of things that need fixing. If you are running a Squid older than 3.5 please update ASAP. Then apply the changes below. If you are running a Squid v3.5 or newer then you can fix these issues now with just a check to confirm the change is okay. > > ### autenticacion de los usuarios (http > básica)############################################ > auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/usuarios_inet > auth_param basic realm Introduzca su usuario para navegar por la WEB. > > ### por donde responde el squid ### > #################################################### > > http_port 192.168.1.3:3128 > http_port 127.0.0.1:3128 Are there other IPs assigned to the machine Squid is running on which you definitely don't want offering proxy service? If no, then you can replace both those with this line: http_port 3128 If yes, then you should replace just the second one with: http_port localhost:3128 > > ########## ACL ########################################################################### > # > # Recommended minimum configuration: > You are missing the very critical port safety checks. These are to prevent your proxy being DoS'ed or uses as an attack vector against other software in your LAN. At worst, you may need to "open" some specific ports by adding them to the Safe_ports and/or SSL_ports ACL definitions. But generally this is not necessary, and should only be done after investigating carefully what that port is used for, including things *other* than the reason you are asked to open it. > acl all src all Since Squid-3.1 the "all "ACL has been built into Squid. You can remove this line, it does nothing. > acl localhost src 127.0.0.1/32 On all modern machines localhost include the ::1/128 address. Even when the machine is IPv4-only connectivity to the network. Localhost is about connections within the machine itself and IPv4-only OS no longer exist. > acl localnet src 192.168.1.0/24 No LAN IPv6 ranges? that is something everyone should be planning for a decade ago. > acl manager_proto_cache proto cache_object Since Squid-3.2 the "manager" ACL has been built into Squid. There are feature changes to the management URLs that need to be controlled by it and the built-in definition handles those. Please remove the above ACL line and convert anything that used it to use the ACL named "manager" instead. > acl peticion_identificacion proxy_auth REQUIRED > acl intranet dstdomain intra.xzy > > acl ocio dstdomain .facebook.com .youtube.com > > acl ocio_medio_dia time MTWHF 12:00-13:10 > acl ocio_tarde time MTWHF 14:00-14:30 > acl ocio_mannana time MTWHF 6:00-8:30 > > http_access allow localnet manager_proto_cache > http_access allow localhost manager_proto_cache > http_access deny manager_proto_cache > http_access allow ocio ocio_tarde > http_access allow ocio ocio_medio_dia > http_access allow ocio ocio_mannana Do you really want your proxy to be allowing anyone anywhere in the world to access those websites through your proxy? I think these "ocio" lines should look like: http_access deny ocio !ocio_tarde !ocio_medio_dia !ocio_mannana Or, you can combine the time periods into one ACL check for better speed and understanding: acl ocio_tempo time MTWHF 12:00-13:10 acl ocio_tempo time MTWHF 14:00-14:30 acl ocio_tempo time MTWHF 6:00-8:30 http_access deny ocio !ocio_tempo > > http_access allow intranet I am guessing here. But I think this means you do not want to require login to access the intranet website. > http_access allow localnet peticion_identificacion For more reliable authentication this should be: http_access deny !peticion_identificacion http_access allow localnet Or, assuming the above about intranet: http_access deny !intranet !peticion_identificacion http_access allow localnet > > always_direct allow intranet > http_access deny all > never_direct allow all > In summary, I think this access control section should look like the below lines: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl localhost src 127.0.0.1/32 ::1/128 acl localnet src 192.168.1.0/24 acl peticion_identificacion proxy_auth REQUIRED acl intranet dstdomain intra.xzy acl ocio dstdomain .facebook.com .youtube.com acl ocio_tempo time MTWHF 12:00-13:10 acl ocio_tempo time MTWHF 14:00-14:30 acl ocio_tempo time MTWHF 6:00-8:30 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny manager !localnet !localhost # Prevent occio domains outside permitted times http_access deny ocio !ocio_tempo # Login required unless visiting intranet site(s) http_access deny !intranet !peticion_identificacion http_access allow localnet http_access deny all always_direct allow intranet never_direct allow all > > > ####### cahce padre ################################################# > > cache_peer proxy_padre parent 3128 0 proxy-only > #cache_peer_domain proxy_padre !intra.xzy NP: if you want to restore that !intra.xyz behaviour with modern Squid use this: cache_peer_access proxy_padre allow !intranet > > ##### correo cache manager #### > > cache_mgr lmniedas This should be an admin contact email. The documentation is not very clear, sorry about that. It will receive reports about proxy crashes (if the feature is built) and is displayed on error pages as the address to contact about problems using the proxy. For Example; cachemgr lmniedas@example.local or the prettier version: cache_mgr Luis Mario Niedas Hernández <lmniedas@example.local> > cachemgr_passwd *** I hope that was not your actual password. If it was you now need to change it. > #### tamanno de la cache #################################### > > cache_dir aufs /var/spool/squid 20280 16 256 > > #### limites para comenzar a limpiar la cache ##################### > > cache_swap_low 90 > cache_swap_high 95 > > #### tamanno de los objetos en la cache como maximo #################### > > maximum_object_size 15 MB > > ### memoria cache ########################### > > cache_mem 500 MB > > ### idioma de las paginas de error de squid ########################## > > error_directory /usr/share/squid/errors/Spanish Since Squid-3.2 error pages can automatically be delivered in a language the person receiving it can read. To allow that to happen, but with Spanish as the default use this directive instead of error_directory: error_default_language es FYI, you can also apply branding to the pages display by editing /etc/squid/errorpages.css > > ##### debug_options cantidad de información en cache_log ################# > > debug_options ALL,0 ALL,1 rotate=8760 This directive applies the options configured left-to-right. The "ALL" setting resets *ALL* debug sections to the level given. That means you should only use debug section "ALL" once in the whole of squid.conf and it should be done before any other N,N pairs. Your config actually means this: debug_options ALL,1 rotate=8760 > > ######### LOGS ####################################### > > cache_log /var/log/squid/cache.log > access_log stdio:/var/log/squid/access.log rotate=8760 > cache_store_log stdio:/var/log/squid/store.log Is there any reason you need this log? It typically is only useful for debugging and this line could be removed to speed up your proxy and save disk space. > > ################## > > #AFECTA LA CANTIDAD ESPECIFICAMENTE A STORE.LOG > > logfile_rotate 8760 > > #### 365 dias * 24 horas es la cantidad de rotaciones de los logs en el crontab Does that mean you are running logrotate every hour of every day? Perhapse there is some better way to do log handling? Begin with deciding whether you need store.log at all. If that is not enough and you want assistance with ideas about further improvements please tell what is the reason why this proxy is rotating to often. HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
