[squid-users] Block some web to a group of ip and allow the rest.

erdosain9 erdosain9 at gmail.com
Fri Feb 23 15:45:00 UTC 2018 

Hi to all.
Im trying to block some web to a ip group. 

[root at squid ips]# cat i-restringidos.lst 
192.168.1.42
192.168.1.43
192.168.1.44
192.168.1.45
192.168.1.99
192.168.1.50
192.168.1.128

This same ip group has access to all internet.
[root at squid ips]# cat prensa_isla.lst 
192.168.1.42
192.168.1.43
192.168.1.44
192.168.1.45
192.168.1.99
192.168.1.50
192.168.1.128

This is what i want to block
[root at squid listas]# cat restringidos.lst 
.whatsapp.com
.facebook.com
.instagram.com
.twitter.com


(so i have this 2 acl whit the same ip, one for deny, the other to allow.

So this is my config... and it's not working. Some help?? Thanks!

acl i-restringidos src "/etc/squid/ips/i-restringidos.lst"
acl logistica src "/etc/squid/ips/logistica.lst"
acl adminis  src "/etc/squid/ips/adminis.lst"
acl institucionales src "/etc/squid/ips/institucionales.lst"
acl patriysumi  src     "/etc/squid/ips/patriysumi.lst"
acl rrhh        src     "/etc/squid/ips/rrhh.lst"
acl proyecto    src     "/etc/squid/ips/proyecto.lst"
acl programas_y_activ    src     "/etc/squid/ips/programas_y_activ.lst"
acl auditoria   src     "/etc/squid/ips/auditoria.lst"
acl legales     src     "/etc/squid/ips/legales.lst"
acl proteccion  src     "/etc/squid/ips/proteccion.lst"
acl oe          src     "/etc/squid/ips/oe.lst"
acl prensa-isla src     "/etc/squid/ips/prensa_isla.lst"

#acl red6 src "/etc/squid/ips/red6.lst"
acl red6 src 192.168.6.0/24  #para la red 6
acl red2 src 192.168.2.0/24 #red 2

####Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads
#deny_info TCP_RESET ads

####Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\? 
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

##bloqueo de pagina prueba
acl blockprueba dstdomain "/etc/squid/listas/blockprueba.lst"

##Extensiones bloqueadas
acl multimedia urlpath_regex "/etc/squid/listas/multimedia.lst"

##Extensiones peligrosas
acl peligrosos urlpath_regex "/etc/squid/listas/peligrosos.lst"

##Redes sociales
acl restringidos dstdomain “/etc/squid/listas/restringidos.lst”


#Puertos
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
#acl SSL_ports port 30666
#acl SSL_ports port 31666
acl SSL_ports port 10000
acl SSL_ports port 10040 # webmin sitio web
acl SSL_ports port 2083

acl Safe_ports port 631         # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 8443        # httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # edesur y otros

acl CONNECT method CONNECT



http_access allow localhost manager


http_access deny manager
http_access deny to_localhost

http_access deny i-restringidos restringidos
http_access allow prensa-isla
http_access allow red6
http_access allow red2
http_access allow logistica !dominios_denegados !multimedia !peligrosos
http_access allow adminis !dominios_denegados
http_access allow institucionales !dominios_denegados !peligrosos
!multimedia
http_access allow patriysumi !multimedia !peligrosos !dominios_denegados
http_access allow proyecto !dominios_denegados !peligrosos !multimedia
http_access allow rrhh !dominios_denegados !peligrosos !multimedia
http_access allow programas_y_activ !dominios_denegados !peligrosos
!multimedia
http_access allow auditoria !dominios_denegados !peligrosos !multimedia
http_access allow legales !dominios_denegados !peligrosos !multimedia
http_access allow proteccion !dominios_denegados !peligrosos !multimedia
http_access allow oe !dominios_denegados !peligrosos !multimedia
http_access deny all

http_port 127.0.0.1:3128
http_port 192.168.1.97:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=5MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem


acl step1 at_step SslBump1

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1
ssl_bump splice excludeSSL
ssl_bump bump all

cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB


cache_swap_low 75
cache_swap_high 85

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#My refresh pattern
#obliga el cache de imagenes .jgp

refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

via off
forwarded_for delete

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

delay_pools 15
#Limitar Youtube 
delay_class 1 2
delay_parameters 1 2000000/2000000 100000/1000000
delay_access 1 allow adminis    youtube !facebook
delay_access 1 allow logistica  youtube !facebook
delay_access 1 allow institucionales youtube !facebook
delay_access 1 allow patriysumi youtube !facebook
delay_access 1 allow rrhh youtube !facebook
delay_access 1 allow proyecto youtube !facebook
delay_access 1 allow programas_y_activ youtube !facebook
delay_access 1 allow auditoria youtube !facebook
delay_access 1 allow legales youtube !facebook
delay_access 1 allow oe youtube !facebook
delay_access 1 allow proteccion youtube !facebook
delay_access 1 deny all


#Limitar Facebook
delay_class 2 2
delay_parameters 2 2000000/2000000 100000/1000000
delay_access 2 allow adminis    facebook !youtube
delay_access 2 allow logistica  facebook !youtube
delay_access 2 allow institucionales facebook !youtube
delay_access 2 allow patriysumi facebook !youtube
delay_access 2 allow rrhh facebook !youtube
delay_access 2 allow proyecto facebook !youtube
delay_access 2 allow programas_y_activ facebook !youtube
delay_access 2 allow auditoria facebook !youtube
delay_access 2 allow legales facebook !youtube
delay_access 2 allow oe facebook !youtube
delay_access 2 allow proteccion facebook !youtube
delay_access 2 deny all

#Limitar Video Streaming a 500k
delay_class 3 1
delay_parameters 3 3000000/3000000
delay_access 3 allow prensa-isla youtube !facebook
delay_access 3 deny all

#Ancho de Banda Administracion
delay_class 4 2
delay_parameters 4 1000000/1000000 350000/750000
delay_access 4 allow adminis    !youtube !facebook
delay_access 4 deny all

#Ancho de Banda Logistica
delay_class 5 2
delay_parameters 5 1000000/1000000 350000/750000
delay_access 5 allow logistica  !youtube !facebook
delay_access 5 deny all

#Ancho de Banda Institucionales
delay_class 6 2
delay_parameters 6 1000000/1000000 350000/750000
delay_access 6 allow institucionales !youtube !facebook
delay_access 6 deny all

#Ancho de Banda Patrimonio y Suministro
delay_class 7 2
delay_parameters 7 1000000/1000000 350000/750000
delay_access 7 allow patriysumi !youtube !facebook
delay_access 7 deny all

#Ancho de Banda RRHH
delay_class 8 2
delay_parameters 8 1000000/1000000 350000/750000
delay_access 8 allow rrhh !youtube !facebook
delay_access 8 deny all

#Ancho de Banda Proyecto
delay_class 9 2
delay_parameters 9 1000000/1000000 350000/750000
delay_access 9 allow proyecto !youtube !facebook
delay_access 9 deny all

#Ancho de Banda programas_y_activ
delay_class 10 2
delay_parameters 10 1000000/1000000 350000/750000
delay_access 10 allow programas_y_activ !youtube !facebook
delay_access 10 deny all

#Ancho de Banda Auditoria
delay_class 11 2
delay_parameters 11 1000000/1000000 350000/750000
delay_access 11 allow auditoria !youtube !facebook
delay_access 11 deny all

#Ancho de Banda Legales
delay_class 12 2
delay_parameters 12 1000000/1000000 350000/750000
delay_access 12 allow legales !youtube !facebook
delay_access 12 deny all

#Ancho de Banda Proteccion
delay_class 13 2
delay_parameters 13 1000000/1000000 350000/750000
delay_access 13 allow proteccion !youtube !facebook
delay_access 13 deny all

#Ancho de Banda prensa-isla
delay_class 14 2
delay_parameters 14 2000000/2000000 512000/2000000
delay_access 14 allow prensa-isla !youtube !facebook
delay_access 14 deny all

#Ancho de Banda OE
delay_class 15 2
delay_parameters 15 1000000/1000000 350000/750000
delay_access 15 allow oe !youtube !facebook
delay_access 15 deny all

                
dns_nameservers 192.168.1.222 192.168.1.107
visible_hostname squid.mydomain.lan

# try connecting to first 25 ips of a domain name
forward_max_tries 25

dns_v4_first on



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list