[squid-users] Squid Proxy not blocking websites

Amos Jeffries squid3 at treenet.co.nz
Tue May 5 13:31:32 UTC 2020 

On 6/05/20 12:58 am, Arjun K wrote:
> Hi All
> 
> Can any one help on the below issue.
> I tried changing the order of deny and allow acl but it did not yield
> any result.
> 

What is the contents of the denylist.txt file?

This usually happens when things in there are not the right dstdomain
syntax.





> Regards
> Arjun K
> 
> 
> On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <email_arjun at yahoo.com>
> wrote:
> 
> 
> Hi All
> 
> The below is the configuration defined in the proxy server.
> The issue is that the proxy is not blocking the websites mentioned in a
> file named denylist.txt.
> Kindly let me know what needs to be changed to block the websites.
> 
> 
> 
> ####IP Ranges allowed to use proxy
> acl localnet src 10.196.0.0/16
> acl localnet src 10.197.0.0/16
> acl localnet src 10.198.0.0/16
> acl localnet src 10.199.0.0/16
> acl localnet src 10.200.0.0/16

These can be simplified:

 acl localnet 10.196.0.0-10.200.0.0/16


> 
> ####Allowed and Denied URLs
> acl allowedurl dstdomain /etc/squid/allowed_url.txt

dstdomain and URL are different things. The name of this ACL is deceptive.

> acl denylist dstdomain /etc/squid/denylist.txt
> 
...

You are missing the DoS protection checks:

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

All custom rules should follow those.


> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
> 
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
> 
> http_access allow allowedurl
> http_access deny denylist
> http_access allow localhost manager
> http_access allow localhost
> http_access allow localnet
> http_access deny manager
> http_access deny !Safe_ports

The manager and Safe_Ports checks are useless down here. Their entire
purpose is to prevent unauthorized access to dangerous protocols and
security sensitive proxy management API.


> http_access deny all
> 
...
> 
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320

No refresh_pattern following this line will ever match. The "." pattern
matches every URL possible. Order is important.

> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
> 80% 43200 reload-into-ims
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> 


Amos

More information about the squid-users mailing list