[squid-users] Failure URL

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 15 09:06:53 UTC 2016


On 15/07/2016 5:19 p.m., Filip Maroul wrote:
> Hello,
> I am running squid3 in version 3.4 on Debian 8 x64. I am using block list
> for some domain's it works but if I try to put failure url it not work.

Please explain "it not work".


> Here is my conf file:
> -----------------------------------------------------------------------------------
> http_port 3128
> 
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600       90%     43200
> 

Problem #1: your custom refresh_pattern is never used.

 ** Order is important. **

You should add custom refresh_pattern lines to the top of the list.

Squid stops processing refresh_pattern lines when it finds a match for
the current transactions URL. The "." pattern is listed last in the
defaults because it matches *everything* that reaches it.


> #acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
> acl dmz_net src 172.100.200.0/27 # RFC 1918 possible internal network
> #acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
> #acl localnet src fc00::/7       # RFC 4193 local private network range
> #acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
> 
> acl SSL_ports port 443 # https
> 
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> 
> acl CONNECT method CONNECT
> acl Social_block dstdom_regex .app.facebook.com .facebook.com

Problem #2: using regex to match a dstdomain value.

I guess you are using this either out of a misplaced enthusiasm or
beliefe in regex. Or to avoid the warning Squid displays about
".app.facebook.com" when the two are combined.

Squdi is warning about .app.facebook.com being redundant. Any URL
matching .app.facebook.com is by definition also matched by
.facebook.com. To avoid some very real matching problems you should not
list it.

You should use:
  acl Social_block dstdomain .facebook.com .fbcdn.net

Note that "facebook.com" and subdomains are not commonly used by
Facebook. Their actual data objects domain is *.fbcdn.net


> acl Bulvar dstdom_regex .super.cz
> 

acl Bulvat dstdomain .super.cz


> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny Social_block
> http_access deny Bulvar
> http_access allow localhost manager
> http_access deny manager
> http_access allow dmz_net
> http_access allow localhost
> http_access deny all
> 
> #Disk cache directory
> cache_dir ufs /var/spool/squid3 1024 16 256
> 
> #Max memory cache usage
> cache_mem 1024 MB
> 
> deny_info http://www.seznam.cz Bulvar

This redirects when the Bulvar ACL matches. That is all. Only the
*.super.cz domains listed in Bulvar will be redirected.


Amos




More information about the squid-users mailing list