[squid-users] Setting up a Whitelist

Donald Muller donmuller22 at outlook.com
Thu Jun 28 04:31:11 UTC 2018 

Still not working.

> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf
> Of Amos Jeffries
> Sent: Wednesday, June 27, 2018 4:59 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Setting up a Whitelist
> 
> On 28/06/18 08:21, Donald Muller wrote:
> > Hi,
> >
> >
> >
> > Don’t know if what I want to do is even possible but here is the
> > situation. I have Squid set up on my QNAP NAS. It is running fine. I
> > am using it with the blacklist and sites get blocked as they should.
> > However there a number of sites that I do not want blacklisted so I
> > thought I’d set up a whitelist for them. What I did was to add an
> > include statement to the squid.conf file. The included file has the
> > directives for the whitelist.
> >
> >
> >
> > Here are my config files.
> >
> >
> >
> >
> >
> > Squid.conf
> >
> >
> >
> > # The user name and group name Squid will operate as
> >
> > cache_effective_user httpdusr
> >
> 
> The above username requires read access to the included file *and* any
> other files which it instructs Squid to load.
> 
> That access may be granted though group access to the file. IF the above
> member is part of a permitted group. Be careful, Do Not assign Squid into
> root group nor any equivalent on the machine.
> 

Good catch. Owner/group of whitelist files changed.

> 
> ...
> >
> >
> > acl allnet src all                  # All Net
> >
> 
> Why?
>  you are not doing anything like deny_info which might need "allnet"
> 
> Using the built-in "all" ACL would be simpler.
> 

I did not build the Squid package. It was built and distributed by QNAP.

> >
> > include /usr/local/squid/etc/acl.conf
> >
> > include
> > /share/CACHEDEV1_DATA/UserData/Configs/Proxy/whitelist.conf
> > ß-------- I added this line
> >
> 
> The only thing to be aware of is order dependence. Squid loads and operates
> as if the contents of these files were copy-and-pasted exactly at the line
> where the include directive is.
> 
> That means any directives like http_access which contain order-specific
> behaviours retain those behaviours between files in the specific order of the
> include lines.
> 
> So, if acl.conf contains "http_access deny blacklist" and whitelist.conf
> contains "http_access allow whitelist" then:
>  a) blacklist is *still* denying requests before whitelist is even tested.
>  b) whitelist.conf is (only) adding a bypass of all the default/recommended
> squid.conf security lines

acl.conf is empty

> 
> I'm pointing out (b) because you should really only place custom rules
> (especially http_access related ones) at the point in squid.conf labeled
> "INSERT YOUR OWN RULE(S) HERE".
> 
> You have not stated whether you are trying to whitelist against entries in the
> blakclist, or against the proxies default security rules to prevent unsafe
> behaviour (ie spam email using the proxy as a relay, non-HTTPS tuynnels).
>  If you want the former; then the includes need to be done the other way
> around (whitelist.conf include first, then acl.conf).
>  If you want the latter; then you have it now.
> 
> 

Sorry. I am trying to whitelist against sites that are in the blacklist from squidguard.mesd.k12.or.us/blacklists.tgz. So where should my whitelist.conf be?
I tried it after "INSERT YOUR OWN RULE(S) HERE" and also at the end of the squid.conf file.

> ...
> 
> >
> > include /usr/local/squid/etc/acl_http.conf
> >
> > #http_access allow allnet ncsa_users
> >
> > #http_access allow allnet group_administrators
> >
> > #http_access allow allnet nas_user
> 
> NP: Placing "all" on a line with other ACL checks is a hack to prevent
> authentication process being initiated by lines if the credentials are known
> but not allowed certain access. It only works if the "all" is placed at the RHS
> end of lines.
>  So "allnet" is pointless on the above.
> 

It is also commented out.

> 
> >
> > http_access allow allnet
> >
> > #http_access deny allnet
> >
> > # And finally deny all other access to this proxy
> >
> 
> But "allnet" was defined as "all". Which overrides this safety net config line
> and makes your proxy an open-proxy by default.
>  That would be clearer if you had used "all" instead of custom "allnet".
> 
> 
> 
> > #
> >
> > mime_table /usr/local/squid/etc/mime.conf
> >
> > pid_filename /usr/local/squid/var/run/squid.pid
> >
> > diskd_program /usr/local/squid/libexec/diskd
> >
> > unlinkd_program /usr/local/squid/libexec/unlinkd
> >
> > icon_directory /usr/local/squid/share/icons
> >
> > err_page_stylesheet /usr/local/squid/etc/errorpage.css
> 
> None of the above lines should be necessary. If you are custom building
> Squid it should be built with ./configure options setting defaults appropriate
> for the OS its going to run on.
> You only need these squid.conf directives if you have one or a few files in
> really weird placement unusual for the OS.
> 
> Same for any directive which is setting default values. You can simplify the
> config a huge amount by removing them entirely these days.
> (Squid-2.x needed them, Squid-3.x does not).
> 

I did not build the Squid package. It was built and distributed by QNAP.

> 
> > whitelist.conf
> >
> >
> >
> > acl whitelist dstdomain
> > "/share/CACHEDEV1_DATA/UserData/Configs/Proxy/whitelist.txt"
> >
> > http_access allow whitelist
> >
> 
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list