[squid-users] Setting up a Whitelist

Wed Jun 27 20:59:07 UTC 2018

On 28/06/18 08:21, Donald Muller wrote:
> Hi,
> 
>  
> 
> Don’t know if what I want to do is even possible but here is the
> situation. I have Squid set up on my QNAP NAS. It is running fine. I am
> using it with the blacklist and sites get blocked as they should.
> However there a number of sites that I do not want blacklisted so I
> thought I’d set up a whitelist for them. What I did was to add an
> include statement to the squid.conf file. The included file has the
> directives for the whitelist.
> 
>  
> 
> Here are my config files.
> 
>  
> 
>  
> 
> Squid.conf
> 
>  
> 
> # The user name and group name Squid will operate as
> 
> cache_effective_user httpdusr
> 

The above username requires read access to the included file *and* any
other files which it instructs Squid to load.

That access may be granted though group access to the file. IF the above
member is part of a permitted group. Be careful, Do Not assign Squid
into root group nor any equivalent on the machine.

...
>  
> 
> acl allnet src all                  # All Net
> 

Why?
 you are not doing anything like deny_info which might need "allnet"

Using the built-in "all" ACL would be simpler.

> 
> include /usr/local/squid/etc/acl.conf
> 
> include
> /share/CACHEDEV1_DATA/UserData/Configs/Proxy/whitelist.conf      
> ß-------- I added this line
> 

The only thing to be aware of is order dependence. Squid loads and
operates as if the contents of these files were copy-and-pasted exactly
at the line where the include directive is.

That means any directives like http_access which contain order-specific
behaviours retain those behaviours between files in the specific order
of the include lines.

So, if acl.conf contains "http_access deny blacklist" and whitelist.conf
contains "http_access allow whitelist" then:
 a) blacklist is *still* denying requests before whitelist is even tested.
 b) whitelist.conf is (only) adding a bypass of all the
default/recommended squid.conf security lines

I'm pointing out (b) because you should really only place custom rules
(especially http_access related ones) at the point in squid.conf labeled
"INSERT YOUR OWN RULE(S) HERE".

You have not stated whether you are trying to whitelist against entries
in the blakclist, or against the proxies default security rules to
prevent unsafe behaviour (ie spam email using the proxy as a relay,
non-HTTPS tuynnels).
 If you want the former; then the includes need to be done the other way
around (whitelist.conf include first, then acl.conf).
 If you want the latter; then you have it now.

...

> 
> include /usr/local/squid/etc/acl_http.conf
> 
> #http_access allow allnet ncsa_users
> 
> #http_access allow allnet group_administrators
> 
> #http_access allow allnet nas_user

NP: Placing "all" on a line with other ACL checks is a hack to prevent
authentication process being initiated by lines if the credentials are
known but not allowed certain access. It only works if the "all" is
placed at the RHS end of lines.
 So "allnet" is pointless on the above.

> 
> http_access allow allnet
> 
> #http_access deny allnet
> 
> # And finally deny all other access to this proxy
> 

But "allnet" was defined as "all". Which overrides this safety net
config line and makes your proxy an open-proxy by default.
 That would be clearer if you had used "all" instead of custom "allnet".

> #
> 
> mime_table /usr/local/squid/etc/mime.conf
> 
> pid_filename /usr/local/squid/var/run/squid.pid
> 
> diskd_program /usr/local/squid/libexec/diskd
> 
> unlinkd_program /usr/local/squid/libexec/unlinkd
> 
> icon_directory /usr/local/squid/share/icons
> 
> err_page_stylesheet /usr/local/squid/etc/errorpage.css

None of the above lines should be necessary. If you are custom building
Squid it should be built with ./configure options setting defaults
appropriate for the OS its going to run on.
You only need these squid.conf directives if you have one or a few files
in really weird placement unusual for the OS.

Same for any directive which is setting default values. You can simplify
the config a huge amount by removing them entirely these days.
(Squid-2.x needed them, Squid-3.x does not).

> whitelist.conf
> 
>  
> 
> acl whitelist dstdomain
> "/share/CACHEDEV1_DATA/UserData/Configs/Proxy/whitelist.txt"
> 
> http_access allow whitelist
> 

Amos