[squid-users] can't block streaming

Marcus Kool marcus.kool at urlfilterdb.com
Fri Nov 3 10:43:51 UTC 2017 

It is not clear what exactly you want to achieve.
Block everything from youtube ?

Amos told you that squidGuard is not maintained for many years but forgot to mention that ufdbGuard does the same thing and has regular updates.
ufdbGuard has a feature to block a set of Youtube videos identified by the video ID and automagically block all related images too.

Marcus


On 03/11/17 07:42, Vacheslav wrote:
> 
> 
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
> Sent: Wednesday, November 1, 2017 3:52 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] can't block streaming
> 
> On 01/11/17 21:54, Vacheslav wrote:
>> Thanks for your time,
>>
>> -----Original Message-----
>> From: Amos Jeffries
>> Sent: Tuesday, October 31, 2017 5:45 PM
>>
>> On 31/10/17 22:05, Vacheslav wrote:
>>> Peace,
>>>
>>> I tired searching and debugging but I couldn’t find a solution,
>>> whatever I do youtube keeps working.
>>>
>>> Here is my configuration:
>> ...
>>> # Media Streams
>>>
>>> ## MediaPlayer MMS Protocol
>>>
>>> acl media rep_mime_type mms
>>>
>>> acl mediapr url_regex dvrplayer mediastream ^mms://
>>>
>>> ## (Squid does not yet handle the URI as a known proto type.)
>>
>>> Unsupported URI schemes should result in the client receiving an HTTP
>>> error page instead of Squid handling the traffic.
>>
>>> Which also explains your problems: the Browser is either not using
>>> the proxy at all for this traffic, or sending the traffic through a
>>> CONNECT tunnel that is allowed to be created for other reasons.
>>
>> Well I tried unchecking automatically detect proxy settings. There are
>> 2 network cards on the squid, one with a gateway, the same  is used as
>> the proxy ip port 3128 and youtube is not in the bypass proxylist. I
>> tried using opera, the same result.
> 
>> Things like YT do not have to be on any bypass list to avoid the proxy.
>> It just has to have a URL scheme for some protocol the browser detects as not able to go through the HTTP-only proxy. eg "mms:"
> 
>> Since mms:// means a non-HTTP protocol and it is not commonly supported by HTTP proxies, the browsers usually send it directly >to the mms protocol port(s) AFAIK.
> 
> Well I tired switching the ip of the pc to one that can't do http and https at all without proxy. I tested it without proxy enabled and internet sites don't open, I switched the proxy back on and youtube works when it is forbidden.
> 
> 
>> What do you mean by a connect tunnel?
> 
>> Things like this:
> 
> "
>    >CONNECT r1---sn-ntqe6n76.googlevideo.com:443 HTTP/1.1
> 
>    >... non-HTTP data stream.
> "
> 
>> Which tells Squid to open a TCP connection to the named server and port.
> That is how a YouTube video I'm watching right now is currently going through a test Squid. The browser of course shows it as a GET request for some https: URI, but the proxy only sees that CONNECT.
> 
> To see what is inside that particular port 443 tunnel one has to use SSL_Bump feature to decrypt the HTTPS protocol that is supposed to be on that port.
> 
> 
>> ...
>>
>>> # We strongly recommend the following be uncommented to protect
>>> innocent
>>>
>>> # web applications running on the proxy server who think the only
>>>
>>> # one who can access services on "localhost" is a local user
>>>
>>> #http_access deny to_localhost
>>>
>>> # Deny all blocked extension
>>>
>>> error_directory /usr/share/squid/errors/en
>>>
>>> deny_info ERR_BLOCKED_FILES blockfiles
>>>
>>> http_access deny blockfiles
>>>
>>> #
>>>
>>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>>
>>
>>> Please read the above line, and consider all the custom rules you
>>> placed above it.
>> I moved the below text to under
>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>
>> http_access deny mediapr
>> http_access deny mediapr1
>> http_access deny mediapr2
>> http_access deny mediapr3
>> http_reply_access deny media
>> ...
>>>
>>> #url_rewrite_program /usr/sbin/squidGuard
>>>
>>> #url_rewrite_children 5
>>>
>>> #debug_options ALL,1 33,2 28,9
>>>
>>> And where must I place the before last 2 lines in order for squid
>>> guard to work?
>>>
>>
>>> Right there where they are in your config will do.
>>
>>> What do you expect SquidGuard to do?
>>
>> At first, I thought squid guard is needed to block file extension,
>> then I discovered that it blocks urls so it is not a bad idea to block
>> porn sites and porn search terms.
> 
>> Ah, I see. Well, if you are new to it I advise to try using squid.conf ACLs first. Sending things to helpers is quite I/O and memory intensive and most of what SG does can be done better by modern Squid.
> 
> Also, SquidGuard specifically is very outdated software and no longer maintained. If you have to do access control in a helper at all it is better to use the external_acl_type interface and other helpers that meet the more specific need.
> 
> Well then, I'll go with your advice and not use prehistoric software.
> 
>>
>>> If Squid itself cannot identify any URLs with "mms://" scheme there
>>> is no hope of SG being passed the non-existent URLs.
>>
>> This I didn't digest!
>>
> 
>> See above with the CONNECT example. *If* the request is actually going through the proxy, the URI as far as Squid can see would be something like "r1---sn-ntqe6n76.googlevideo.com:443", or maybe just a raw-IP and port.
> 
> So what Squid can pass the URI helper is only that origin-form URI, not the encrypted (if HTTPS) or tunneled (if non-HTTP/HTTPS) absolute-URI stuff where the scheme is.
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list