[squid-users] Squid Proxy not blocking websites

Arjun K email_arjun at yahoo.com
Tue May 5 16:47:35 UTC 2020 

 Hi Amos
Thanks for your response and suggestions and I will incorporate your inputs in the configuration.Please find the below contents of denylist as I am unable to attach as a document due to restrictions.
 .hotmail.com*.appex-rf.msn.com*.itunes.apple.comauth.gfx.msbroadcast.skype.comc.bing.comc.live.comcl2.apple.comclient.hip.live.comd.docs.live.netdirectory.services.live.comdocs.live.neten-us.appex-rf.msn.comfoodanddrink.services.appex.bing.comlogin.live.commail.google.comms.tific.comodcsm.officeapps.live.comofficeimg.vo.msecnd.netoutlook.uservoice.comp100-sandbox.itunes.apple.compartnerservices.getmicrosoftkey.comprotection.office.comroaming.officeapps.live.comsas.office.microsoft.comsdk.hockeyapp.netsecure.meetup.comsignup.live.comsocial.yahooapis.comview.atdmt.comwatson.telemetry.microsoft.comweather.tile.appex.bing.comwww.dropbox.comwww.googleapis.comwww.wunderlist.com*.appex.bing.com*.broadcast.skype.com*.mail.protection.outlook.com*.protection.office.com*.protection.outlook.com*.skype.com*.skypeforbusiness.coma.wunderlist.comaccount.live.comaccounts.google.comacompli.helpshift.comapi.diagnostics.office.comapi.dropboxapi.comapi.login.yahoo.comapi.meetup.comapp.adjust.comapp.box.combit.ly, www.acompli.comby.uservoice.comdata.flurry.complay.google.comrink.hockeyapp.netwww.evernote.comwww.google-analytics.comwww.youtube.com*.facebook.com*.yahoo.com*.msn.comclients4.google.comwww.reddit.com



Please find my responses and queries as well.
1. Instead of dstdomain , I tried the url_regex as defined below and even it is not blocking the sites through the proxy.
Kindly let me know how to allow and block the sites ?

acl allowedurl url_regex /etc/squid/allowed_url.txtacl denylist url_regex /etc/squid/denylist.txt
2.  I have defined only two ports 80 and 443 and removed all other ports. May I know whether the below order must be used since you stated the below "All custom rules should follow those." Kindly let me know whether the below order is correct or not.

http_access deny !Safe_ports
http_access deny denylisthttp_access allow allowedurlhttp_access allow localhost managerhttp_access allow localhosthttp_access allow localnethttp_access deny managerhttp_access deny all

RegardsArjun K.
    On Tuesday, 5 May, 2020, 07:02:46 pm IST, Amos Jeffries <squid3 at treenet.co.nz> wrote:  
 
 On 6/05/20 12:58 am, Arjun K wrote:
> Hi All
> 
> Can any one help on the below issue.
> I tried changing the order of deny and allow acl but it did not yield
> any result.
> 

What is the contents of the denylist.txt file?

This usually happens when things in there are not the right dstdomain
syntax.





> Regards
> Arjun K
> 
> 
> On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <email_arjun at yahoo.com>
> wrote:
> 
> 
> Hi All
> 
> The below is the configuration defined in the proxy server.
> The issue is that the proxy is not blocking the websites mentioned in a
> file named denylist.txt.
> Kindly let me know what needs to be changed to block the websites.
> 
> 
> 
> ####IP Ranges allowed to use proxy
> acl localnet src 10.196.0.0/16
> acl localnet src 10.197.0.0/16
> acl localnet src 10.198.0.0/16
> acl localnet src 10.199.0.0/16
> acl localnet src 10.200.0.0/16

These can be simplified:

 acl localnet 10.196.0.0-10.200.0.0/16


> 
> ####Allowed and Denied URLs
> acl allowedurl dstdomain /etc/squid/allowed_url.txt

dstdomain and URL are different things. The name of this ACL is deceptive.

> acl denylist dstdomain /etc/squid/denylist.txt
> 
...

You are missing the DoS protection checks:

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

All custom rules should follow those.


> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
> 
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
> 
> http_access allow allowedurl
> http_access deny denylist
> http_access allow localhost manager
> http_access allow localhost
> http_access allow localnet
> http_access deny manager
> http_access deny !Safe_ports

The manager and Safe_Ports checks are useless down here. Their entire
purpose is to prevent unauthorized access to dangerous protocols and
security sensitive proxy management API.


> http_access deny all
> 
...
> 
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320

No refresh_pattern following this line will ever match. The "." pattern
matches every URL possible. Order is important.

> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
> 80% 43200 reload-into-ims
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> 


Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200505/9801dcd2/attachment-0001.html>

More information about the squid-users mailing list