[squid-users] Time-Based Download Restrictions

Amos Jeffries squid3 at treenet.co.nz
Tue Dec 1 10:15:34 UTC 2015

On 1/12/2015 3:56 a.m., Edmonds Namasenda wrote:
> Greetings.
> I want to deny access to certain downloads (in str-med.txt) during "WorkHrs"
> This is failing miserably as this is not achieved.
> Please look through my files (squid.conf and str-med.txt) below for
> pointers to rectify this. Thanks in advance

Apart from being placed above the access controls on CONNECT (it should
be below). The config looks like it should work and block all HTTP
downloads for URLs that look like filename downloads.

I suspect that you are probably confusing HTTPS and HTTP though. HTTPS
does not have a URL path exposed for the ACL to work with. So these
controls will have no effect on HTTPS traffic.

Or perhapse you are confusing URL paths for file paths. While they do
look alike sometimes, the overlap is purely historical design
coincidence. There is not necessarily any correlation in reality.

> ### Start squid.conf ###
> acl office-net src
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> acl WorkHrs time MTWHF 08:29-12:59
> acl WorkHrs time MTWHFA 14:00-16:59
> ## Wrong Files and URLS
> acl malice dstdomain -i "/etc/squid/malware.acl"
> acl porn dstdomain -i "/etc/squid/xxx.acl"
> acl ads dstdomain -i "/etc/squid/ads.acl"
> acl proxies dstdomain -i "/etc/squid/proxies.acl"
> acl nostr urlpath_regex -i "/etc/squid/str-med.txt"
> http_access deny nostr WorkHrs
> http_reply_access deny nostr WorkHrs

If the "nostr WorkHrs" check matches anything it would do so on
http_access, the reply version is not useful.

> http_access deny !Safe_ports
> http_access deny ads
> http_access deny porn
> http_access deny malice
> http_access deny proxies

The ACLs ads, porn  malice, and proxies are all dstdomain. You should be
able to load all their entries into one AC name and just test once,
instead of checking each requests domain x4 times.
combine them into one ACL name.

Also, all your custom ACLs should be placed after the "deny CONNECT
!SSL_ports" line.

> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow office-net all
> # Allow localhost always proxy functionality
> http_access allow localhost
> # And finally deny all other access to this proxy
> http_access deny all
> error_directory /usr/share/squid/errors/en
> icp_access allow office-net
> icp_access deny all
> htcp_access allow office-net
> htcp_access deny all
> http_port intercept
> http_port
> hierarchy_stoplist cgi-bin ?

You don't have peers, so the above is not useful. You can remove it.

> acl youtube dstdomain .youtube.com
> cache allow youtube

The above may not be doing what you think it does...

With ACL processing the implicit default action is the inverse of the
previous action. So what the above does is tell Squid to cache
youtube.com objects, *but nothing else*.

If that is intentional it is best to say so with an explicit "cache deny
all" line at the end.

If you want youtube.com objects to be cached, a) the above does not
work, and b) you dont have to specify "cache allow" lines. The default
action by Squid is to cache everything that is cacheable.


More information about the squid-users mailing list