[squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?
Mirza Dedic
mirza.dedic at outlook.com
Wed Oct 15 18:23:00 UTC 2014
Thanks Walter and Amos, i've taken your advice and now I got the blocking to partially work. I've re-organized how my ACLs are setup (order) and using your examples Walter to implement my ACLs.
Working on the facebook example, I have..
acl block_domains_regex dstdom_regex -i "/etc/squid/block-domains-regex-list-acl.squid"
deny_info ERR_URL_BLOCKED block_domains_regex
http_access deny block_domains_regex
In the acl file, I have..
.*\.facebook\.com.*
According to http://www.regexr.com this blocks:
https://www.facebook.com
https://www.facebook.com/something
https://something.facebook.com
www.facebook.com
http://www.facebook.com
However, it will not block..
https://facebook.com
http://facebook.com
I can't seem to get this right to block the bottom 2, any ideas?
----------------------------------------
Date: Wed, 15 Oct 2014 08:46:44 +0200
From: Walter.H at mathemainzel.info
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?
On 15.10.2014 08:13, Amos Jeffries wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> And the key difference in these configs is not the ACL contents, but
> the ordering in which they are matched.
>
> Mirzas' config starts by telling Squid everything on the LAN/localnet
> is allowed. Ok, fine, Squid will do that.
>
> Walters' config will tell Squid a limited set of things to allow, then
> some things to deny, then implicitly allow everything else [1][2].
> Whichever rule actually matches the FB requests will be applied by
> Squid, with a limited set of initial allow/bypass the likelihood that
> a deny following will match is higher.
>
>
> [1] this is not a great situation, because any remote attack which can
> figure out a way past your regex ACLs can use the proxy for whatever
> they please[2].
>
> [2] I hope you just omitted the localnet ACL checks which should
> follow the ones you showed.
>
> Amos
Yes I omitted this:
acl localnet src 192.168.0.0/16
on top of squid.conf and
http_access allow localnet
http_access allow localhost
below the listed ACL rules;
Walter
_______________________________________________ squid-users mailing list squid-users at lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list