[squid-users] Odp: Re: ACLs work in a half

Amos Jeffries squid3 at treenet.co.nz
Tue Apr 21 02:53:20 UTC 2015 

On 20/04/2015 8:01 p.m., Robert Lasota wrote:
> Dnia Niedziela, 19 Kwietnia 2015 21:28 Yuri Voinov  napisaƂ(a) 
>>               
>>     -----BEGIN PGP SIGNED MESSAGE----- 
>>     Hash: SHA256 
>>      
>>     
>>     
>>     20.04.15 0:29, Robert Lasota пишет:
>>     > Hi,
>>       >
>>       > I have newest Squid (3.5.3). I have ACL with blacklist:
>>       >
>>       > acl blacklist1 dstdomain "/opt/etc/blacklist/porn_domains"
>>       > http_access deny blacklist1
>>       >
>>       > ..and they work on a half. I mean when I type in url e.g.      redtube.com - it 
>>       > blocks site. But when I type in some searcher: google or      bing, and then I go to 
>>       > the site from search results - I enter to site without      problems, so ACL  doesn't 
>>       > work.
>>       >
>>       > What is going on ? Please help me.
>>     
>>     Did you see, which URL produces search engine as a result? Problem    not in ACL. Problem in your understanding, how it must work.
>>     
>>     You using so primitive scheme to complete blocking.
>>     
>>     As a solution - take a look at the redirectors - squidGuard or    ufdbGuard, or some similar.
>>     
>>     For example, block page template from squidGuard uses special    mechanism to block inlined URL's with inappropriate contents:
>>     
>>     http://i.imgur.com/PnMldpr.png
>>     
>>     
> 
> You've wrote " You using so primitive scheme to complete blocking." so is it better way to achieve my goal or only use additional redirector like Squidguard ?
> 

Some people just seem to like complications. You will face the same
problem no matter whether you configure the access controls in Squid or
in a helper like SG.

You need to understand what traffic message Squid is dealing with to
match and block it appropriately.

* dstdomain only matches the domain name portion of URLs - so it only
works if the domain name is available, eg in GET requests for HTTP.

* google/bing etc the domain name is google.com or bing.com etc (not
redtube), then they shunt you off into a CONNECT tunnel also to google/bing.

There is probably a separate CONNECT tunnel going to redtube, or a GET
to a domain you were not expecting, after the search clicks.

Also, make sure your blocklist entries are in dstdomain wildcard format.
eg ".redtube.com". Or they will not match the sites subdomains. It could
be one of those subdomain the search engine sends you to.

Amos

More information about the squid-users mailing list