[squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 15 06:13:04 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


And the key difference in these configs is not the ACL contents, but
the ordering in which they are matched.

Mirzas' config starts by telling Squid everything on the LAN/localnet
is allowed. Ok, fine, Squid will do that.

Walters' config will tell Squid a limited set of things to allow, then
some things to deny, then implicitly allow everything else [1][2].
Whichever rule actually matches the FB requests will be applied by
Squid, with a limited set of initial allow/bypass the likelihood that
a deny following will match is higher.


[1] this is not a great situation, because any remote attack which can
figure out a way past your regex ACLs can use the proxy for whatever
they please[2].

[2] I hope you just omitted the localnet ACL checks which should
follow the ones you showed.

Amos



On 15/10/2014 6:56 p.m., Walter H. wrote:
> acl allow_urls url_regex -i "/etc/squid/allowurls-regex-acl.squid"
> (a) acl block_urls url_regex -i
> "/etc/squid/blockurls-regex-acl.squid" (b) acl allow_urlpaths
> urlpath_regex -i "/etc/squid/allowurlpaths-regex-acl.squid" (c) acl
> block_urlpaths urlpath_regex -i 
> "/etc/squid/blockurlpaths-regex-acl.squid" (d) acl
> allow_domains_list dstdomain 
> "/etc/squid/allowdomains-list-acl.squid" (e) acl block_domains_list
> dstdomain "/etc/squid/blockdomains-list-acl.squid" (f) acl
> block_domains_listex dstdomain 
> "/etc/squid/blockdomains-listex-acl.squid" (g) acl
> allow_domains_regex dstdom_regex -i 
> "/etc/squid/allowdomains-regex-acl.squid" (h) acl
> block_domains_regex dstdom_regex -i 
> "/etc/squid/blockdomains-regex-acl.squid" (i) acl block_hosts_list
> dst "/etc/squid/blockhosts-list-acl.squid" (j) deny_info
> ERR_URL_BLOCKED block_urls deny_info ERR_URL_BLOCKED
> block_urlpaths deny_info ERR_DOMAIN_BLOCKED block_domains_list 
> deny_info ERR_DOMAIN_BLOCKED block_domains_listex deny_info
> ERR_DOMAIN_BLOCKED block_domains_regex deny_info ERR_HOST_BLOCKED
> block_hosts_list http_access allow allow_urls http_access allow
> allow_urlpaths http_access allow allow_domains_list http_access
> allow allow_domains_regex http_access deny block_urls http_access
> deny block_urlpaths http_access deny block_domains_list http_access
> deny block_domains_listex http_access deny block_domains_regex 
> http_access deny block_hosts_list
> 
> (a), (b) look like this: 
> "^http:\/\/websupport\.wdc\.com\/sfclickcount.asp\?" (c), (d) look
> like this: "^\/cgi-bin\/" (e), (f), (g) look like this:
> "www.googletagmanager.com" (h), (i) look like this:
> "^banner(s)?[0-9]*\." (j) looks like this: "85.17.30.143"
> 
> (g) comes from a source like: e.g.
> http://winhelp2002.mvps.org/hosts.htm
> 
> On 15.10.2014 02:05, Mirza Dedic wrote:
>> Trying to understand what I am doing wrong with my ACLs (yes I've
>> read the ACL guide on squid site.. but still confused).. My
>> client is 172.16.10.101, trying to block access to facebook (and
>> other dstdomain file lists), but it is not working from the
>> client I can still access fb.
>> 
>> Is this because I have this rule below..?
>> 
>> acl localnet src 172.16.0.0/12 http_access allow localnet
>> 
> yes
> 
>> Instead of denying everything access and manually maintaining
>> rules, I want to allow http/https access for everything except
>> explicitly defined ACLs (in this case the facebook acl as a
>> test).
>> 
>> I've tried to set debugging to debug_options ALL,1 33,2 to see
>> more info on ACLs (read on some site this is the debug flags to
>> set) but I don't see any ACL details in my access.log file.
>> 
>> my squid.conf (for SQUID 3.3.3) file is below..
>> 
>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal
>> network acl localnet src 172.16.0.0/12  # RFC1918 possible
>> internal network acl localnet src 192.168.0.0/16 # RFC1918
>> possible internal network
>> 
>> acl SSL_ports port 443 8180 8443 563 1494 2598 8531 acl
>> Safe_ports port 80# http acl Safe_ports port 81 # http for
>> Pacific Brokerage acl Safe_ports port 21# ftp acl Safe_ports port
>> 443 563# http acl Safe_ports port 70# gopher acl Safe_ports port
>> 210# wais acl Safe_ports port 280# http-mgmt acl Safe_ports port
>> 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports
>> port 777# multiling http acl Safe_ports port 8080 8081 8082 8088
>> 8180 acl Safe_ports port 3128 # Squid http server acl Safe_ports
>> port 1494 2598 # ICA - Citrix acl Safe_ports port 7000 8000 #
>> Oracle acl Safe_ports port 9000 # Oracle acl Safe_ports port
>> 8530# WSUS acl Safe_ports port 55905# WSUS acl Safe_ports port
>> 1025-65535# unregistered ports acl CONNECT method CONNECT
>> 
>> http_access allow localhost manager http_access deny manager 
>> http_access deny !Safe_ports http_access deny CONNECT !SSL_ports 
>> http_access deny to_localhost
>> 
>> *acl ads dstdomain "/etc/squid/blacklists/ads/domains"* *acl
>> adult dstdomain "/etc/squid/blacklists/adult/domains"* *acl
>> gambling dstdomain "/etc/squid/blacklists/gambling/domains"* *acl
>> fb dstdomain .facebook.com*
>> 
>> http_access allow localnet http_access allow localhost
>> 
>> *http_access deny ads adult gambling fb*
>> 
>> http_access deny all
>> 
>> http_port 8080 dns_nameservers 172.16.11.3 172.16.11.2
>> 172.16.11.1 visible_hostname www-proxy
>> 
>> hierarchy_stoplist cgi-bin ?
>> 
>> logformat oppy %ts.%03tu %6tr %>a %>A %Ss/%03>Hs %<st %rm %ru
>> %[un %Sh/%<a %mt access_log daemon:/var/log/squid/access.log
>> oppy cache_store_log daemon:/var/log/squid/store.log cache_log
>> /var/log/squid/cache.log cache_mem 64 MB logfile_rotate 4 
>> debug_options ALL,1 # ACL Debug Options # debug_options ALL,1
>> 33,2 # debug_options ALL,1 33,2 28,9 coredump_dir
>> /var/log/squid/squid
>> 
>> shutdown_lifetime 3 seconds dns_v4_first on retry_on_error on 
>> forward_max_tries 25 forward_timeout 30 seconds connect_timeout
>> 30 seconds read_timeout 30 seconds request_timeout 30 seconds 
>> persistent_request_timeout 1 minute
>> 
>> cache_dir ufs /var/cache/squid 100 16 256 cache_mgr
>> ittechs at domain.com
>> 
>> snmp_port 0 icp_port 0 htcp_port 0
>> 
>> refresh_pattern ^ftp:144020%10080 refresh_pattern
>> ^gopher:14400%1440 refresh_pattern -i (/cgi-bin/|\?) 00%0 
>> refresh_pattern .020%4320
>> 
>> 
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 
> 
> _______________________________________________ squid-users mailing
> list squid-users at lists.squid-cache.org 
> http://lists.squid-cache.org/listinfo/squid-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUPhBwAAoJELJo5wb/XPRjFLsH/3EJAnFmG1ClS+eK4kxViyBK
XzDLC3baYIGThunpiTMnX/rrrG9pi3HAouikeXbnfl+iGIovOrKsHA7oxZUXJbdG
Fs9sdfN8FDbQK8fJePR0TzP0EtbwNWn86LcP3CDt2U9C7yldORtu8jCR72hyvO6H
S1FWh3G6NUzuFLU+7UIxWVBUwMNCkT8knhXpfZ0G8gELFyXgoIJKoZXJob73nV0+
xfLQqJ4alYSvNYmAIdmS+zozgCS/vwDexk9uMJgywE15axSGUKPOgHXpxiTuI3hu
oEDfHW2I7VrGIFd8963LB5sR50HJoZFSkDUkthAFp2Gj+sjsj7+gv1B/DKz79W8=
=2aeX
-----END PGP SIGNATURE-----


More information about the squid-users mailing list