[squid-users] block user agent
Vieri
rentorbuy at yahoo.com
Tue Nov 21 10:06:38 UTC 2017
________________________________
From: Amos Jeffries <squid3 at treenet.co.nz>
>
> http_access allow goodAgents !baddomains (AND)
>
> If the first line matches the allow happens.
> otherwise deny happens
>
> ie. goodAgents are only allowed to non-baddomains. All non-goodAgents
> are denied to everything.
>From this I deduce that in my case I cannot use "http_access allow goodAgents", but I need to go for "http_access deny !goodAgents" so I can continue on evaluating the rest of my http_access rules.
> Allowing them all the way through Squid is bad. But that is not what is
> needed here. ssl_bump rules get applied after the CONNECT is accepted
> *in* for proxy processing and they decide what happens to the tunneled
> data based on what is found there.
> If bumping is decided the TLS gets removed and the messages inside
> individually go through the http_access process.
You lost me there. Here's what I did today.
I took your advice (and Alex's), and renamed my ACL labels. Unfortunately, I'm still a little confused :-(.
Here's part of the new Squid config (I took away the "allow all connect messages"):
# grep -v ^# /etc/squid/squid.test.include.rules | grep -v ^$
external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy-server1.mydomain.org at mydomain.org
auth_param negotiate children 60
auth_param negotiate keep_alive on
acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16
acl ORG_all proxy_auth REQUIRED
external_acl_type bllookup ttl=86400 negative_ttl=86400 children-max=80 children-startup=10 children-idle=3 concurrency=8 %PROTO %DST %PORT %PATH /opt/custom/scripts/run/scripts/firewall/ext_sql_blwl_acl.pl --table=shallalist_bl --categories=adv,aggressive,alcohol,anonvpn,automobile_bikes,automobile_boats,automobile_cars,automobile_planes,chat,costtraps,dating,drugs,dynamic,finance_insurance,finance_moneylending,finance_other,finance_realestate,finance_trading,fortunetelling,forum,gamble,hacking,hobby_cooking,hobby_games-misc,hobby_games-online,hobby_gardening,hobby_pets,homestyle,imagehosting,isp,jobsearch,military,models,movies,music,podcasts,politics,porn,radiotv,recreation_humor,recreation_martialarts,recreation_restaurants,recreation_sports,recreation_travel,recreation_wellness,redirector,religion,remotecontrol,ringtones,science_astronomy,science_chemistry,sex_education,sex_lingerie,shopping,socialnet,spyware,tracker,updatesites,urlshortener,violence,warez,weapons,webphone,webradio,webtv
acl privileged_src_ips src "/opt/custom/proxy-settings/allowed.ips"
acl privileged_extra1_src_ips src "/opt/custom/proxy-settings/allowed.extra1.ips"
acl privileged_user_groups external nt_group "/opt/custom/proxy-settings/allowed.groups"
acl good_dst_domains dstdomain "/opt/custom/proxy-settings/allowed.domains"
acl good_dst_domains_with_any_filetype dstdomain "/opt/custom/proxy-settings/allowed.domains.filetypes"
acl good_dst_domains_with_any_mimetype dstdomain "/opt/custom/proxy-settings/allowed.domains.mimetypes"
acl bad_dst_domains dstdomain -i "/opt/custom/proxy-settings/denied.domains"
acl limited_dst_domains_1 dstdomain -i "/opt/custom/proxy-settings/denied.extra1.domains"
acl bad_ads url_regex "/opt/custom/proxy-settings/denied.ads"
acl bad_filetypes urlpath_regex -i "/opt/custom/proxy-settings/denied.filetypes"
acl bad_requested_mimetypes req_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes"
acl limited_requested_mimetypes_1 req_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes"
acl bad_replied_mimetypes rep_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes"
acl limited_replied_mimetypes_1 rep_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes"
acl restricted_requested_mimetypes_1 req_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
acl restricted_replied_mimetypes_1 rep_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
acl restricted_good_dst_domains_1 dstdomain -i "/opt/custom/proxy-settings/allowed.restricted1.domains"
acl restricted_src_ips_1 dst "/opt/custom/proxy-settings/allowed.restricted1.ips"
acl explicit_only_src_ips src "/opt/custom/proxy-settings/restricted.ips"
acl explicit_only_user_groups external nt_group "/opt/custom/proxy-settings/restricted.groups"
acl explicit_only_dst_domains dstdomain "/opt/custom/proxy-settings/restricted.domains"
acl bl_lookup external bllookup
acl bad_urlshorteners dstdomain -i "/etc/squidGuard/db/HMANshallalist/urlshortener/domains"
acl redirected_domain_1 dstdomain .somedomain.com
acl good_useragents browser Firefox/
acl good_useragents browser Edge/
acl src_ips_with_any_useragent src "/opt/custom/proxy-settings/allowed.useragents.ips"
http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny !good_useragents !src_ips_with_any_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents good_useragents
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents src_ips_with_any_useragent
http_access allow localnet !explicit_only_src_ips good_dst_domains
http_access allow localnet !explicit_only_src_ips privileged_src_ips
http_reply_access allow localnet !explicit_only_src_ips privileged_src_ips
http_reply_access allow localnet !explicit_only_src_ips good_dst_domains
http_access allow explicit_only_src_ips explicit_only_dst_domains
http_access deny explicit_only_src_ips
http_access deny redirected_domain_1
deny_info 302:http://www.google.es redirected_domain_1
http_access deny !privileged_src_ips bad_urlshorteners
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_urlshorteners bad_urlshorteners
http_access allow restricted_requested_mimetypes_1 restricted_good_dst_domains_1
http_access allow restricted_requested_mimetypes_1 restricted_src_ips_1
http_reply_access allow restricted_replied_mimetypes_1 restricted_good_dst_domains_1
http_reply_access allow restricted_replied_mimetypes_1 restricted_src_ips_1
http_access allow limited_requested_mimetypes_1 privileged_extra1_src_ips limited_dst_domains_1
http_reply_access allow limited_replied_mimetypes_1 privileged_extra1_src_ips limited_dst_domains_1
http_access deny restricted_requested_mimetypes_1
http_reply_access deny restricted_replied_mimetypes_1
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes restricted_replied_mimetypes_1
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes restricted_requested_mimetypes_1
http_access deny limited_requested_mimetypes_1
http_reply_access deny limited_replied_mimetypes_1
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes limited_requested_mimetypes_1
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes limited_replied_mimetypes_1
http_access deny !privileged_src_ips bad_dst_domains
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains bad_dst_domains
http_access allow privileged_extra1_src_ips limited_dst_domains_1
http_access deny limited_dst_domains_1
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=limited_dst_domains_1 limited_dst_domains_1
http_access deny bad_filetypes !good_dst_domains_with_any_filetype
http_reply_access deny bad_filetypes !good_dst_domains_with_any_filetype
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_filetypes bad_filetypes
http_access deny bad_requested_mimetypes !good_dst_domains_with_any_mimetype
http_reply_access deny bad_replied_mimetypes !good_dst_domains_with_any_mimetype
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes bad_requested_mimetypes
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes bad_replied_mimetypes
http_access allow localnet bl_lookup
#debug_options rotate=1 28,3
debug_options rotate=1 ALL,2
append_domain .mydomain.org
reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access squidclamav allow all
include /etc/squid/squid.include.common
include /etc/squid/squid.include.hide
cache_mem 32 MB
max_filedescriptors 65536
icap_service_failure_limit -1
Here's what I do from a client:
curl --insecure --user-agent Firefox/57 https://www.gentoo.org/
Here's what I get with 28,3 debug options:
2017/11/21 10:02:24.278 kid1| 28,3| Checklist.cc(70) preCheck: 0xeb47c8 checking slow rules
2017/11/21 10:02:24.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' found
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2017/11/21 10:02:24.278 kid1| 28,3| Checklist.cc(63) markFinished: 0xeb47c8 answer ALLOWED for match
2017/11/21 10:02:24.278 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xeb47c8 answer=ALLOWED
2017/11/21 10:02:24.278 kid1| 28,3| Checklist.cc(70) preCheck: 0x13450c8 checking slow rules
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: Safe_ports = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: !Safe_ports = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: CONNECT = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: SSL_ports = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: !SSL_ports = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 0
2017/11/21 10:02:24.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' NOT found
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: localhost = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#3 = 0
2017/11/21 10:02:24.278 kid1| 28,3| RegexData.cc(51) match: aclRegexData::match: checking '89.16.167.134:443'
2017/11/21 10:02:24.278 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(^cache_object://)'
2017/11/21 10:02:24.278 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(^https?://[^/]+/squid-internal-mgr/)'
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: manager = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#4 = 0
2017/11/21 10:02:24.278 kid1| 28,3| StringData.cc(34) match: aclMatchStringList: checking '3229'
2017/11/21 10:02:24.278 kid1| 28,3| StringData.cc(37) match: aclMatchStringList: '3229' NOT found
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: explicit = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#5 = 0
2017/11/21 10:02:24.278 kid1| 28,3| StringData.cc(34) match: aclMatchStringList: checking '3229'
2017/11/21 10:02:24.278 kid1| 28,3| StringData.cc(37) match: aclMatchStringList: '3229' NOT found
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: explicit = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#6 = 0
2017/11/21 10:02:24.278 kid1| 28,3| StringData.cc(34) match: aclMatchStringList: checking '3229'
2017/11/21 10:02:24.278 kid1| 28,3| StringData.cc(37) match: aclMatchStringList: '3229' NOT found
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: intercepted = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#7 = 0
2017/11/21 10:02:24.278 kid1| 28,3| StringData.cc(34) match: aclMatchStringList: checking '3229'
2017/11/21 10:02:24.278 kid1| 28,3| StringData.cc(37) match: aclMatchStringList: '3229' found
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: interceptedssl = 1
2017/11/21 10:02:24.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' found
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: localnet = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: !localnet = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#8 = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: good_useragents = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: !good_useragents = 1
2017/11/21 10:02:24.278 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' NOT found
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: src_ips_with_any_useragent = 0
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: !src_ips_with_any_useragent = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access#9 = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2017/11/21 10:02:24.278 kid1| 28,3| Checklist.cc(63) markFinished: 0x13450c8 answer DENIED for match
2017/11/21 10:02:24.278 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x13450c8 answer=DENIED
2017/11/21 10:02:24.278 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffd4e3e2530 checking fast ACLs
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.test.log line) = 1
2017/11/21 10:02:24.278 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.test.log = 1
2017/11/21 10:02:24.278 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffd4e3e2530 answer ALLOWED for match
2017/11/21 10:02:24.288 kid1| 28,3| Checklist.cc(70) preCheck: 0xeb47c8 checking slow rules
2017/11/21 10:02:24.288 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' found
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: localnet = 1
2017/11/21 10:02:24.288 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' NOT found
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: explicit_only_src_ips = 0
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: !explicit_only_src_ips = 1
2017/11/21 10:02:24.288 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' NOT found
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: privileged_src_ips = 0
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#1 = 0
2017/11/21 10:02:24.288 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' found
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: localnet = 1
2017/11/21 10:02:24.288 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '10.215.144.48' NOT found
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: explicit_only_src_ips = 0
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: !explicit_only_src_ips = 1
2017/11/21 10:02:24.288 kid1| 28,3| DomainData.cc(108) match: aclMatchDomainList: checking 'www.gentoo.org'
2017/11/21 10:02:24.288 kid1| 28,3| DomainData.cc(113) match: aclMatchDomainList: 'www.gentoo.org' NOT found
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: good_dst_domains = 0
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#2 = 0
2017/11/21 10:02:24.288 kid1| 28,3| RegexData.cc(51) match: aclRegexData::match: checking 'text/html;charset=utf-8'
2017/11/21 10:02:24.288 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(^application/octet-stream$)'
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: restricted_replied_mimetypes_1 = 0
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#3 = 0
2017/11/21 10:02:24.288 kid1| 28,3| RegexData.cc(51) match: aclRegexData::match: checking 'text/html;charset=utf-8'
2017/11/21 10:02:24.288 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(^application/octet-stream$)'
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: restricted_replied_mimetypes_1 = 0
2017/11/21 10:02:24.288 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#4 = 0
2017/11/21 10:02:24.288 kid1| 28,3| RegexData.cc(51) match: aclRegexData::match: checking 'text/html;charset=utf-8'
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(^application/mp21$)|(^application/mp4$)|(^application/vnd.rn-realmedia$)|(^application/vnd.tmobile-livetv$)|(^audio/)|(^video/)'
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: limited_replied_mimetypes_1 = 0
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#5 = 0
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(51) match: aclRegexData::match: checking 'text/html;charset=utf-8'
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(^application/octet-stream$)'
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: restricted_replied_mimetypes_1 = 0
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#6 = 0
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(51) match: aclRegexData::match: checking 'text/html;charset=utf-8'
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(^application/mp21$)|(^application/mp4$)|(^application/vnd.rn-realmedia$)|(^application/vnd.tmobile-livetv$)|(^audio/)|(^video/)'
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: limited_replied_mimetypes_1 = 0
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#7 = 0
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(51) match: aclRegexData::match: checking '/'
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(\.ade(\?.*)?$)|(\.adp(\?.*)?$)|(\.app(\?.*)?$)|(\.asd(\?.*)?$)|(\.asf(\?.*)?$)|(\.asx(\?.*)?$)|(\.avi(\?.*)?$)|(\.bas(\?.*)?$)|(\.bat(\?.*)?$)|(\.cab(\?.*)?$)|(\.chm(\?.*)?$)|(\.cmd(\?.*)?$)|(\.cpl(\?.*)?$)|(\.dll$)|(\.exe(\?.*)?$)|(\.fxp(\?.*)?$)|(\.hlp(\?.*)?$)|(\.hta(\?.*)?$)|(\.hto(\?.*)?$)|(\.inf(\?.*)?$)|(\.ini(\?.*)?$)|(\.ins(\?.*)?$)|(\.iso(\?.*)?$)|(\.isp(\?.*)?$)|(\.jse(.?)(\?.*)?$)|(\.jse(\?.*)?$)|(\.lib(\?.*)?$)|(\.lnk(\?.*)?$)|(\.mar(\?.*)?$)|(\.mdb(\?.*)?$)|(\.mde(\?.*)?$)|(\.mp3(\?.*)?$)|(\.mpeg(\?.*)?$)|(\.mpg(\?.*)?$)|(\.msc(\?.*)?$)|(\.msi(\?.*)?$)|(\.msp(\?.*)?$)|(\.mst(\?.*)?$)|(\.ocx(\?.*)?$)|(\.pcd(\?.*)?$)|(\.pif(\?.*)?$)|(\.prg(\?.*)?$)|(\.reg(\?.*)?$)|(\.scr(\?.*)?$)|(\.sct(\?.*)?$)|(\.sh(\?.*)?$)|(\.shb(\?.*)?$)|(\.shs(\?.*)?$)|(\.sys(\?.*)?$)|(\.url(\?.*)?$)|(\.vb(\?.*)?$)|(\.vbe(\?.*)?$)|(\.vbs(\?.*)?$)|(\.vcs(\?.*)?$)|(\.vxd(\?.*)?$)|(\.wmd(\?.*)?$)|(\.wms(\?.*)?$)|(\.wmv(\?.*)?$)|(\.wmz(\?.*)?$)|(\.wsc(\?.*)?$)|(\.wsf(\?.*)?$)|(\.wsh(\?.*)?$)'
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: bad_filetypes = 0
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#8 = 0
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(51) match: aclRegexData::match: checking 'text/html;charset=utf-8'
2017/11/21 10:02:24.289 kid1| 28,3| RegexData.cc(62) match: aclRegexData::match: looking for '(^application/ecmascript$)|(^application/mp21$)|(^application/mp4$)|(^application/oebps-package+xml$)|(^application/vnd.amazon.ebook$)|(^application/vnd.android.package-archive$)|(^application/vnd.gmx$)|(^application/vnd.google-earth.kml+xml$)|(^application/vnd.google-earth.kmz$)|(^application/vnd.ms-cab-compressed$)|(^application/vnd.ms-excel.addin.macroenabled.12$)|(^application/vnd.ms-excel.sheet.binary.macroenabled.12$)|(^application/vnd.ms-excel.sheet.macroenabled.12$)|(^application/vnd.ms-excel.template.macroenabled.12$)|(^application/vnd.ms-powerpoint.addin.macroenabled.12$)|(^application/vnd.ms-powerpoint.presentation.macroenabled.12$)|(^application/vnd.ms-powerpoint.slide.macroenabled.12$)|(^application/vnd.ms-powerpoint.slideshow.macroenabled.12$)|(^application/vnd.ms-powerpoint.template.macroenabled.12$)|(^application/vnd.ms-wpl$)|(^application/vnd.ms.wms-hdr.asfv1$)|(^application/vnd.realvnc.bed$)|(^application/vnd.rn-realmedia$)|(^application/vnd.tmobile-livetv$)|(^application/x-authorware-bin$)|(^application/x-cab$)|(^application/x-iso9660-image$)|(^application/x-mms-framed$)|(^application/x-ms-wm$)|(^application/x-msdos-program$)|(^application/x-msdownload$)|(^application/x-shar$)|(^application/x-vbs$)|(^audio/)|(^text/vbs$)|(^text/vbscript$)|(^video/)'
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: bad_replied_mimetypes = 0
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access#9 = 0
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: http_reply_access = 0
2017/11/21 10:02:24.289 kid1| 28,3| Checklist.cc(386) calcImplicitAnswer: 0xeb47c8 NO match found, last action DENIED so returning ALLOWED
2017/11/21 10:02:24.289 kid1| 28,3| Checklist.cc(63) markFinished: 0xeb47c8 answer ALLOWED for implicit rule won
2017/11/21 10:02:24.289 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xeb47c8 answer=ALLOWED
2017/11/21 10:02:24.289 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffd4e3e2660 checking fast ACLs
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.test.log line) = 1
2017/11/21 10:02:24.289 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.test.log = 1
2017/11/21 10:02:24.289 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffd4e3e2660 answer ALLOWED for match
It seems that Squid decides to ALLOW, right?
Now, here's the log with ALL,2:
2017/11/21 10:07:01.079 kid1| 5,2| TcpAcceptor.cc(220) doAccept: New connection on FD 93
2017/11/21 10:07:01.079 kid1| 5,2| TcpAcceptor.cc(295) acceptNext: connection on local=[::]:3229 remote=[::] FD 93 flags=25
2017/11/21 10:07:01.079 kid1| 33,2| client_side.cc(3943) httpsSslBumpAccessCheckDone: sslBump needed for local=89.16.167.134:443 remote=10.215.144.48 FD 13 flags=17 method 4
2017/11/21 10:07:01.079 kid1| 11,2| client_side.cc(2372) parseHttpRequest: HTTP Client local=89.16.167.134:443 remote=10.215.144.48 FD 13 flags=17
2017/11/21 10:07:01.079 kid1| 11,2| client_side.cc(2373) parseHttpRequest: HTTP Client REQUEST:
---------
CONNECT 89.16.167.134:443 HTTP/1.1
Host: 89.16.167.134:443
----------
2017/11/21 10:07:01.079 kid1| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request CONNECT 89.16.167.134:443 is DENIED; last ACL checked: src_ips_with_any_useragent
2017/11/21 10:07:01.079 kid1| 20,2| store.cc(996) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/11/21 10:07:01.079 kid1| 20,2| store.cc(996) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/11/21 10:07:01.079 kid1| 20,2| store.cc(996) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/11/21 10:07:01.089 kid1| 83,2| client_side.cc(3843) clientNegotiateSSL: clientNegotiateSSL: New session 0x13c6250 on FD 13 (10.215.144.48:42279)
2017/11/21 10:07:01.090 kid1| 11,2| client_side.cc(2372) parseHttpRequest: HTTP Client local=89.16.167.134:443 remote=10.215.144.48 FD 13 flags=17
2017/11/21 10:07:01.090 kid1| 11,2| client_side.cc(2373) parseHttpRequest: HTTP Client REQUEST:
---------
GET / HTTP/1.1
Host: www.gentoo.org
User-Agent: Firefox/57
Accept: */*
----------
2017/11/21 10:07:01.090 kid1| 88,2| client_side_reply.cc(2073) processReplyAccessResult: The reply for GET https://www.gentoo.org/ is ALLOWED, because it matched bad_replied_mimetypes
2017/11/21 10:07:01.090 kid1| 11,2| client_side.cc(1409) sendStartOfMessage: HTTP Client local=89.16.167.134:443 remote=10.215.144.48 FD 13 flags=17
2017/11/21 10:07:01.090 kid1| 11,2| client_side.cc(1410) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 307 Temporary Redirect
Server: squid
Mime-Version: 1.0
Date: Tue, 21 Nov 2017 09:07:01 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Location: http://proxy-server1/proxy-error/?a=-&B=&e=0&E=%5BNo%20Error%5D&H=89.16.167.134&i=10.215.144.48&M=CONNECT&o=&R=/&T=Tue,%2021%20Nov%202017%2009%3A07%3A01%20GMT&U=https%3A%2F%2F89.16.167.134%2F*&u=89.16.167.134%3A443&w=IT%40mydomain.org&x=&acl=bad_useragents
X-Squid-Error: 403 Access Denied
X-Cache: MISS from proxy-server1
X-Cache-Lookup: NONE from proxy-server1:3227
Connection: close
----------
2017/11/21 10:07:01.090 kid1| 33,2| client_side.cc(832) swanSong: local=89.16.167.134:443 remote=10.215.144.48 flags=17
2017/11/21 10:07:01.090 kid1| 20,2| store.cc(996) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/11/21 10:07:01.090 kid1| 20,2| store.cc(996) checkCachable: StoreEntry::checkCachable: NO: not cachable
Isn't the message "The request CONNECT 89.16.167.134:443 is DENIED" what I should be concentrating on?
Isn't that the root cause?
In another message, you mentioned that I should notice that Squid reports another ACL name (in this case, after the name change, it's "bad_replied_mimetypes").
In any case, the message "The reply for GET https://www.gentoo.org/ is ALLOWED" means that Squid should ALLOW, right?
However, why do I get a 307 redirect to a deny_info page (where incidentally the URL refers to bad_useragents, not bad_replied_mimetypes)?
I can't seem to clear this out and make it work without adding "http_access allow CONNECT SSL_ports" right before checking for the useragent.
Help greatly appreciated.
Vieri
More information about the squid-users
mailing list