[squid-users] Whitelist domain ignored?

Jose Torres-Berrocal jetsystemservices at gmail.com
Tue Oct 4 21:22:15 UTC 2016 

Just to confirm that I sent the email

Jose E Torres
939-777-4030
JET System Services


On Tue, Oct 4, 2016 at 4:41 PM, Jose Torres-Berrocal
<jetsystemservices at gmail.com> wrote:
> I  do not know the correct terms to the problem I have.
>
> I have some clients that use a program that tries to connect to:
> https://neodecksoftware.com/NeoMedOnline/NeoMedOnlineService.svc
>
> Went to the access.log and found the neodecksoftware.com is being
> denied even that I have it in a whitelist file.
>
> The below info is the error lines fund, the whitelist file content,
> and the squid conf:
>
> ----------------------------------------------------------------------------------------------
> 1475581614.208      0 192.168.1.20 TCP_DENIED/407 3917 CONNECT
> neodecksoftware.com:443 - HIER_NONE/- text/html
> 1475582327.774      0 192.168.1.20 TCP_DENIED/407 3917 CONNECT
> neodecksoftware.com:443 - HIER_NONE/- text/html
>
> /var/squid/acl/whitelist.acl:
> .familymedicinepr.com
> .anydesk.com
> .teamviewer.com
> .secureserver.net
> .gmail.com
> .mail.yahoo.com
> .outlook.com
> .aol.com
> .libertypr.net
> .coqui.net
> .prtc.net
> .assertus.com
> .neodecksoftware.com
> .office.net
> .microsoft.com
> .office.com
> .live.com
>
> # This file is automatically generated by pfSense
> # Do not edit manually !
>
> http_port 192.168.1.1:3128
> http_port 127.0.0.1:3128
> icp_port 0
> dns_v4_first off
> pid_filename /var/run/squid/squid.pid
> cache_effective_user squid
> cache_effective_group proxy
> error_default_language en
> icon_directory /usr/local/etc/squid/icons
> visible_hostname pfsense
> cache_mgr jetsystemservices at gmail.com
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> cache_store_log none
> netdb_filename /var/squid/logs/netdb.state
> pinger_enable on
> pinger_program /usr/local/libexec/squid/pinger
>
> logfile_rotate 31
> debug_options rotate=31
> shutdown_lifetime 3 seconds
> # Allow local network(s) on interface(s)
> acl localnet src  192.168.1.0/24 127.0.0.0/8
> forwarded_for on
> uri_whitespace strip
>
> acl dynamic urlpath_regex cgi-bin \?
> cache deny dynamic
>
> cache_mem 512 MB
> maximum_object_size_in_memory 256 KB
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> minimum_object_size 0 KB
> maximum_object_size 4 MB
>
> offline_mode off
> cache_swap_low 90
> cache_swap_high 95
> cache allow all
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:    1440  20%  10080
> refresh_pattern ^gopher:  1440  0%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
> refresh_pattern .    0  20%  4320
>
>
> #Remote proxies
>
>
> # Setup some default acls
> # From 3.2 further configuration cleanups have been done to make
> things easier and safer. The manager, localhost, and to_localhost ACL
> definitions are now built-in.
> # acl localhost src 127.0.0.1/32
> acl allsrc src all
> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128
> 3129 1025-65535 444
> acl sslports port 443 563  444
>
> # From 3.2 further configuration cleanups have been done to make
> things easier and safer. The manager, localhost, and to_localhost ACL
> definitions are now built-in.
> #acl manager proto cache_object
>
> acl purge method PURGE
> acl connect method CONNECT
>
> # Define protocols used for redirects
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
> acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
> http_access allow manager localhost
>
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !safeports
> http_access deny CONNECT !sslports
>
> # Always allow localhost connections
> # From 3.2 further configuration cleanups have been done to make
> things easier and safer.
> # The manager, localhost, and to_localhost ACL definitions are now built-in.
> # http_access allow localhost
>
> request_body_max_size 0 KB
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow allsrc
>
> # Reverse Proxy settings
>
>
> # Custom options before auth
> connect_timeout 2
>
> # Always allow access to whitelist domains
> http_access allow whitelist
> auth_param basic program /usr/local/libexec/squid/basic_radius_auth -w
> Maint4030 -h pfsense -p
> auth_param basic children 5
> auth_param basic realm Please enter your credentials to access the proxy
> auth_param basic credentialsttl 5 minutes
> acl password proxy_auth REQUIRED
> # Custom options after auth
>
>
> http_access allow password localnet
> # Default block all to be sure
> http_access deny allsrc
>
> ----------------------------------------------------------------------------------------------
>
> Cordially,
> Jose

More information about the squid-users mailing list