[squid-users] Block some web to a group of ip and allow the rest.

Amos Jeffries squid3 at treenet.co.nz
Sat Feb 24 10:01:07 UTC 2018 

On 24/02/18 04:45, erdosain9 wrote:
> Hi to all.
> Im trying to block some web to a ip group. 
> 
> [root at squid ips]# cat i-restringidos.lst 
> 192.168.1.42
> 192.168.1.43
> 192.168.1.44
> 192.168.1.45
> 192.168.1.99
> 192.168.1.50
> 192.168.1.128
> 
> This same ip group has access to all internet.
> [root at squid ips]# cat prensa_isla.lst 
> 192.168.1.42
> 192.168.1.43
> 192.168.1.44
> 192.168.1.45
> 192.168.1.99
> 192.168.1.50
> 192.168.1.128

If they are really the same, then it is better to use one ACL name
instead of two like that.

Using one will help you see more clearly what your config is actually
doing for those IPs, and also make it impossible to accidentally
configure something that can never happen.
 Like "i-restringidos !prensa_isla".


> 
> This is what i want to block
> [root at squid listas]# cat restringidos.lst 
> .whatsapp.com
> .facebook.com
> .instagram.com
> .twitter.com
> 
> 
> (so i have this 2 acl whit the same ip, one for deny, the other to allow.
> 
> So this is my config... and it's not working. Some help?? Thanks!
> 

That is a very complicated setup you have. Below are some
simplifications you can make to shorten it and make it easier to read
what is going on...

> 
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> 
> http_access deny i-restringidos restringidos

The above line does exactly what you are asking for.

The only problem that could happen is that the clients in i-restringidos
are not doing what you think they are.

Perhapse they are actually:

 a) not using your proxy to contact those sites,

and/or

 b) using a protocol that skips through the proxy.

   For example; Using SPDY, QUICK, WebSockets etc. instead of HTTP.

and/or,


 c) using a domain name (or raw IP address) not on your list.

   For example most of Facebook traffic usually comes from fbcdn.net,
"Facebook.com" is just the brand name and front page(s).


> http_access allow prensa-isla
> http_access allow red6
> http_access allow red2

All the below lines have !dominios_denegados. So you can add this here:

  http_access deny dominios_denegados

... then remove all the "!dominios_denegados".


> http_access allow logistica !multimedia !peligrosos
> http_access allow adminis

All the below lines have "!peligrosos". So you can do the same again:

  http_access deny peligrosos


And again with !multimedia; ...

  http_access deny multimedia

.. leaving the remainder looking like this:

 http_access allow institucionales
 http_access allow patriysumi
 http_access allow proyecto
 http_access allow rrhh
 http_access allow programas_y_activ
 http_access allow auditoria
 http_access allow legales
 http_access allow proteccion
 http_access allow oe
 http_access deny all


> 
> refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
> ignore-private

The ignore-no-cache parameter no longer exists. Please remove.


> 
> request_header_access From deny all
> request_header_access Server deny all
> request_header_access WWW-Authenticate deny all
> request_header_access Link deny all
> request_header_access Cache-Control deny all
> request_header_access Proxy-Connection deny all
> request_header_access X-Cache deny all
> request_header_access X-Cache-Lookup deny all
> request_header_access Via deny all
> request_header_access X-Forwarded-For deny all
> request_header_access Pragma deny all
> request_header_access Keep-Alive deny all

The Server, X-Cache, X-Cache-Lookup headers are not request headers.
Those lines are pointless.

The Proxy-Connection header is obsolete and automatically stripped by
all current Squid. No need to do anything for it either.

The Keep-Alive header is hop-by-hop ad stripped by Squid without havign
anyeffect.

The Pragma header is mandatory for HTTP proxies to ignore except in the
rare case of "Pragma:no-cache". Current Squid are HTTP/1.1 so even that
is even more rarely mattering. ALmost all traffic will ignore this header.
 Also, these directives do not in any way affect how your Squid
interprets those headers. All it does is erase them from traffic going
to servers. Which in the case of Pragma is mandatory to pass on exactly
as received. Right now you are breaking all HTTP/1.0 caches across the
Internet between your proxy and the origin server.


> 
> delay_pools 15
> #Limitar Youtube 
> delay_class 1 2
> delay_parameters 1 2000000/2000000 100000/1000000

Two things about these delay rules:

 1) Youtube and Facebook are different companies and services. So
traffic going to YouTube cannot simlultaneously be going to Facebook.
That makes the Facebook part of the check pointless.


2) All of the below lines have "youtube !facebook". Like with
http_access simplification you can make these rules vastly simpler by
checking for the forbidden property and rejecting based on that before
any allow rules.

So, combining the two details mentioned above. You can make this your
first rule:

  delay_access 1 deny !youtube

... then remove the "youtube !facebook" part from all the below lines:

> delay_access 1 allow adminis    youtube !facebook
> delay_access 1 allow logistica  youtube !facebook
> delay_access 1 allow institucionales youtube !facebook
> delay_access 1 allow patriysumi youtube !facebook
> delay_access 1 allow rrhh youtube !facebook
> delay_access 1 allow proyecto youtube !facebook
> delay_access 1 allow programas_y_activ youtube !facebook
> delay_access 1 allow auditoria youtube !facebook
> delay_access 1 allow legales youtube !facebook
> delay_access 1 allow oe youtube !facebook
> delay_access 1 allow proteccion youtube !facebook
> delay_access 1 deny all

Then you get to decide, are there any clients allowed to use the proxy
which are not in those allow rules?

If the answer is yes, you can replace all of those allow lines with
"allow all" and remove the "deny all" line.


> 
> #Limitar Facebook
> delay_class 2 2
> delay_parameters 2 2000000/2000000 100000/1000000
> delay_access 2 allow adminis    facebook !youtube
> delay_access 2 allow logistica  facebook !youtube
> delay_access 2 allow institucionales facebook !youtube
> delay_access 2 allow patriysumi facebook !youtube
> delay_access 2 allow rrhh facebook !youtube
> delay_access 2 allow proyecto facebook !youtube
> delay_access 2 allow programas_y_activ facebook !youtube
> delay_access 2 allow auditoria facebook !youtube
> delay_access 2 allow legales facebook !youtube
> delay_access 2 allow oe facebook !youtube
> delay_access 2 allow proteccion facebook !youtube
> delay_access 2 deny all

Same as with pool #1, but this time make your first line:

  delay_access 2 deny facebook


HTH
Amos

More information about the squid-users mailing list