[squid-users] New to Squid, Foward proxy problems with domain blocks.

[Amos Jeffries]

On 3/07/2015 3:29 a.m., Augusto Gabanzo wrote:
> Hello, as the subject says im new. 
> 
>  
> 
> Been reading a lot and some examples and i do have a weird problem where i
> can't block some domains. First and foremost im using the squid proxy for
> windows version 2.7.8 
> 
> as thats the only one for windows that works for me the 3.x versions always
> deny requests from clients even with the default conf. I've been testing all
> this in a production enviroment so ... help me!! please of i will get killed
> soon :D.
> 
>  
> 
> my conf for 2.7.8 is(I modifying one that comes with proxy 3-1):

Don't. 2.7 contains no built-in defaults where 3.x does. The .conf file
contents need to be very different.


> pid_filename c:/Squid/var/logs/squid.pid (this part here i dont know whats
> its use as i cant find info about it on the net)

<http://www.squid-cache.org/Doc/config/pid_filename/>

The PID is used for sending signals to the Squid process/service.

> 
> #Limit upload to 2M and download to 10M (trying to stop users from uploading
> big files to email sites and fb and download big files  as i only have 6mbps
> and 1mbps down/up bandwidth)
> 
> request_body_max_size 2048 KB
> 
> reply_body_max_size 10485760 deny localnet
> 
>  
> 
> # compressed (i moddief this part as instead of 0 they had 10080 and instead
> of 10080 they had 999999 those times are too big files could stay forever
> fresh! inside the cache)

"forever" in HTTP is "no more than 68 years". In 2.7 thats 1 year.

And no, these lines only affect objects with are completely lacking
Cache-Control values. Most traffic has such controls and Squid obeys them.

Also, each refresh_pattern line has to be matched against a request
individually. Repeating many lines causes a lot of work to be done for
each request. Better to combine the patterns manually.


> 
> acl fullvideo src "c:/squid/etc/ipfullvideo.sq"  # here is a file with ips
> allowed to see youtube and facebook videos , media streaming 
> 
> acl bad_url url_regex -i "c:/squid/etc/bad-sites.sq" # .facebook.com
> .twitter.com rule to block those sites for users inside ipbloqueada

So why is it a slow regex and not a fast dstdomain ?

> 
> acl ipbloqueada src 192.168.1.117/32 192.168.1.179/32 192.168.1.170/32
> 192.168.1.15/32  # ips of 3 users that shouldnt be accessing fb and twitter.
> 
> acl bad_ext urlpath_regex -i "c:/squid/etc/extensiones.sq" # rule to block
> some file extesions like .avi$, .mpg$ etc stop downloads from them even if
> they are smaller than 10MB (this doesn't WORK!)
> 

The regex syntax mentioned assumes the URL ends with the file extension.
That is fairly uncommon. Most of the download sites these days the ext
is some dynamic script like .php or .asp. Using the content-type and
content-disposition headers to deliver the filename details.


> 
> http_access allow localnet                                         #let the
> network use the proxy
> 
> http_access allow localhost                                       #let the
> proxy server use itself ??( O_o i dont quite get this part.)


Lets other software on the Squid server us it. Yes that includes the
proxy looping traffic back at tself, but the Via header protects against
that begin a problem.


> 
> http_access allow manager localhost
> 
>  
> 
> http_access deny bad_url ipbloqueada               #here i want all the urls
> in BAD_URL from the ips IPBLOQUEADA to be denied used to work ... when i
> started but now it doesnt i will show a sample of the file at the end

If I'm reding that comment on the ipbloqueada definition you are
assuming that Facebook, Twitter etc are still using plaintext HTTP
through the proxy. They dont. These days they use TLS with SPDY or
HTTP/2 or QUIC or HTTPS.


> 
> http_access deny bad_ext                                        #block
> reading of files with those extensions.
> 
> deny_info TCP_RESET bad_ext                                #send a tcp_reset
> so they dont know proxy blocked them
> 
> http_reply_access deny media !fullvideo           # here i try to deny
> access to media to all but those inside fullvideo (doesnt quite work either
> youtube loads and works :D) some other streaming are blocked well
> 

YT is HTTPS not HTTP now.


> 
> # And finally deny all other access to this proxy
> 
> http_access deny all
> 
>  
> 
> #always_direct allow all                                              # i
> feel this part is to let squidguard work, i removed it cuz it blocked
> youtube  and many other sites i bet that was because the ads.
> 

always_direct has no effect unless cache_peer directive is used. In
which case it makes the cache_peer not be used for traffic.

Amos