[squid-users] ACL-by time- not working. Help!

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 28 16:25:10 UTC 2020 

On 29/08/20 3:50 am, Luis Mario Niedas Hernández wrote:
> El vie., 28 de ago. de 2020 a la(s) 00:03, Amos Jeffries
> (squid3 at treenet.co.nz) escribió:
>>
>> On 28/08/20 3:40 am, Luis Mario Niedas Hernández wrote:
>>> Hello. I need restrict some site by time, but i am not doing well.
>>> This is my squid.conf. Please help me to fix the problem. I don't know
>>> why it is not working.
>>>
>>
>> It is not clear what your problem actually is.
> 
> Well. My problem is that  i had to block facebook and youtube but i
> did not how to do it. Your correction works fine. Thanks for
> explaining me some stuff. I appreciate that.
> 
>>
>> An educated guess tells me that you have missed two important details:
>>
>>  1) your http_access lines are just a long list of allow, allow, allow.
>> Squid has no reason to deny.
> 
>  jajajaja Honestly, I don't understand how squid work. I mean, I don't
> know what it is the logic to follow with the acl directives and
> http_access allow | deny. I am learning about it. If you can recommend
> me a book or a place to look for learning about how to build
> adequately my rules in squid. I need it. i don't want copy and paste
> acl from some plate and put it in my config, I really want to know how
> I have to think. LEARN
> 

Certainly. The details of access controls are all documented at
<http://wiki.squid-cache.org/SquidFaq/SquidAcl>

or if you prefer a physical book the "Squid 3.1: Beginners Guide" is
still a good learning resource to begin with. What it lacks is mostly
detail on new features.


>>
>> To resolve this you need to write out your policy(s) in the form of
>> denials. Allowing only the good traffic that remains.
>>
> I guess that when we put  this:
> 
> http_access deny all.
> 
> we are telling squid that everything that has not a http_access allow,
> it is blocked. So,  why I have to put http_access deny
> !peticion_identificacion, instead http_access allow
> peticion_identificacion ?


ACLs actually have three states: YES, NO, UNKNOWN. Authentication is one
ACL type where the third state is important.

"allow peticion_identificacion" lets all the traffic which is-YES through.
 Meaning it will try to get credentials, but if they do not validate as
correct Squid skips on to checking the next access control line.


"deny !peticion_identificacion" blocks all the traffic which is not-YES.

Meaning Squid will block clients who cannot login with valid credentials.


> 
> 
>> For best performance sort the lines by ACL checking speed and how much
>> traffic they can drop. The faster it can identify and deny bad traffic
>> the more speed can go towards the good traffic.
>>
>>  2) those FB and YT websites use HTTPS and http_access controls only
>> apply when an HTTPS connection is established. The TLS connection itself
>> may remain open and continue to be used indefinitely.
>>
>> You can use the client_lifetime directive to shorten the time CONNECT
>> tunnels are allowed to remain in use. For your specific case I would set
>> it to something like 5 minutes. Browsers can auto-recover so this length
>> should not be visible to clients, but you will want to test that to
>> confirm what is good for your needs.
>>
>>
>> There are several other things about your config file that indicate
>> extremely outdated practices or Squid version. Below is a free audit
>> report of things that need fixing.
>>
>>
>> If you are running a Squid older than 3.5 please update ASAP. Then apply
>> the changes below.
> 
> I am running squid 4.6.
> 

Okay. The changes should all work, but please plan to upgrade ASAP.
There have been quite a few critical security vulnerabilities fixed this
past year.


>>>
>>> ######### LOGS #######################################
>>>
>>> cache_log /var/log/squid/cache.log
>>> access_log stdio:/var/log/squid/access.log  rotate=8760
>>> cache_store_log stdio:/var/log/squid/store.log
>>
>> Is there any reason you need this log?
>> It typically is only useful for debugging and this line could be removed
>> to speed up your proxy and save disk space.
> 
> My boss told me that I must save  all my logs, just to check later
> what the people are doing and where they are surfing on the internet.
> 

Okay. For that you need the access.log. Not the store.log or cache.log.


>>
>>>
>>> ##################
>>>
>>> #AFECTA LA CANTIDAD ESPECIFICAMENTE A STORE.LOG
>>>
>>> logfile_rotate 8760
>>>
>>> #### 365 dias * 24 horas es la cantidad de rotaciones de los logs en el crontab
>>
>> Does that mean you are running logrotate every hour of every day?
>>
> Yes, I am rotating every one hours all squid's logs. Honestly, because
> i thought that it is the more easy way to make analytics work. What
> you can recommend me??

Okay. I would double check that assumption.

Modern Squid have the logging modules for different outputs. Depending
on what analytics system you are using it may not need the rotation at
all or takes input directly somehow other than from the disk file.

Some analytics use "tail" or similar to watch the end of the access.log
and update the reports shortly after a transaction is logged. Less
rotating works better for them.

Some tools can take input from syslog. Squid has a log module to write
access.log records to syslog for those.

Then there is the daemon module. A fairly simple helper can deliver the
log lines to anywhere. For example; any unusual APIs the analytics has.

My CDN analytics dashboard and billing work off an SQL database. So I
co-wrote the helper to drop logs into a database and customers can see
their usage real-time.

Just something to think about when you have time.


HTH
Amos

More information about the squid-users mailing list