[squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?

Wed Oct 15 00:05:59 UTC 2014

Trying to understand what I am doing wrong with my ACLs (yes I've read the ACL guide on squid site.. but still confused).. My client is 172.16.10.101, trying to block access to facebook (and other dstdomain file lists), but it is not working from the client I can still access fb.
Is this because I have this rule below..?
acl localnet src 172.16.0.0/12http_access allow localnet
Instead of denying everything access and manually maintaining rules, I want to allow http/https access for everything except explicitly defined ACLs (in this case the facebook acl as a test).
I've tried to set debugging to debug_options ALL,1 33,2 to see more info on ACLs (read on some site this is the debug flags to set) but I don't see any ACL details in my access.log file.
my squid.conf (for SQUID 3.3.3) file is below..
acl localnet src 10.0.0.0/8     # RFC1918 possible internal networkacl localnet src 172.16.0.0/12  # RFC1918 possible internal networkacl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 8180 8443 563 1494 2598 8531acl Safe_ports port 80						# httpacl Safe_ports port 81          			# http for Pacific Brokerageacl Safe_ports port 21						# ftpacl Safe_ports port 443 563					# httpacl Safe_ports port 70						# gopheracl Safe_ports port 210						# waisacl Safe_ports port 280						# http-mgmtacl Safe_ports port 488						# gss-httpacl Safe_ports port 591						# filemakeracl Safe_ports port 777						# multiling httpacl Safe_ports port 8080 8081 8082 8088 8180acl Safe_ports port 3128        			# Squid http serveracl Safe_ports port 1494 2598   			# ICA - Citrixacl Safe_ports port 7000 8000   			# Oracleacl Safe_ports port 9000        			# Oracleacl Safe_ports port 8530					# WSUSacl Safe_ports port 55905					# WSUSacl Safe_ports port 1025-65535				# unregistered portsacl CONNECT method CONNECT
http_access allow localhost managerhttp_access deny managerhttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access deny to_localhost
acl ads dstdomain "/etc/squid/blacklists/ads/domains"acl adult dstdomain "/etc/squid/blacklists/adult/domains"acl gambling dstdomain "/etc/squid/blacklists/gambling/domains"acl fb dstdomain .facebook.com
http_access allow localnethttp_access allow localhost
http_access deny ads adult gambling fb
http_access deny all
http_port 8080dns_nameservers 172.16.11.3 172.16.11.2 172.16.11.1visible_hostname www-proxy
hierarchy_stoplist cgi-bin ?
logformat oppy %ts.%03tu %6tr %>a %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mtaccess_log daemon:/var/log/squid/access.log oppycache_store_log daemon:/var/log/squid/store.logcache_log /var/log/squid/cache.logcache_mem 64 MBlogfile_rotate 4debug_options ALL,1# ACL Debug Options# debug_options ALL,1 33,2# debug_options ALL,1 33,2 28,9coredump_dir /var/log/squid/squid
shutdown_lifetime 3 secondsdns_v4_first onretry_on_error onforward_max_tries 25forward_timeout 30 secondsconnect_timeout 30 secondsread_timeout 30 secondsrequest_timeout 30 secondspersistent_request_timeout 1 minute
cache_dir ufs /var/cache/squid 100 16 256cache_mgr ittechs at domain.com
snmp_port 0icp_port 0htcp_port 0
refresh_pattern ^ftp:		1440	20%	10080refresh_pattern ^gopher:	1440	0%	1440refresh_pattern -i (/cgi-bin/|\?) 0	0%	0refresh_pattern .		0	20%	4320 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141014/74072102/attachment.html>