<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
HI Eliezer,
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">squid.conf: <a href="http://pastebin.com/7Nusciiu" class="">http://pastebin.com/7Nusciiu</a></div>
<div class=""><br class="">
</div>
<div class="">sqiudguard.conf: <a href="http://pastebin.com/DiRgD23c" class="">http://pastebin.com/DiRgD23c</a></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">I think the client is using a Google chrome extension: <a href="https://chrome.google.com/webstore/detail/hotspot-shield-free-vpn-p/nlbejmccbhkncgokjcmghpfloaajcffj?hl=en" class="">https://chrome.google.com/webstore/detail/hotspot-shield-free-vpn-p/nlbejmccbhkncgokjcmghpfloaajcffj?hl=en</a></div>
<div class=""><br class="">
</div>
<div class="">(can’t get cache logs now as client is disconnected)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Dec 21, 2016, at 1:43 PM, Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il" class="">eliezer@ngtech.co.il</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">How does squid.conf looks now?<br class="">
It’s probably a typo or some settings exception.<br class="">
You need to debug and check first if squidguard receives the request details<br class="">
and what it does with it.<br class="">
To see the relevant details you will need to use squid debug_options:<br class="">
<a href="http://wiki.squid-cache.org/KnowledgeBase/DebugSections" class="">http://wiki.squid-cache.org/KnowledgeBase/DebugSections</a><br class="">
<br class="">
Specifically section 61.<br class="">
You should add to squid.conf the line<br class="">
debug_options ALL,1 61,6<br class="">
<br class="">
And your cache.log will be flooded with details about any request that is<br class="">
being passed to squidguard.<br class="">
I believe that this should be a start point that will show you if squid is<br class="">
sending the request to squidguard and how squidguard answers.<br class="">
If you want more help share with a paste the current squid.conf and<br class="">
squidguard.conf.<br class="">
This way even if it’s not related directly to squid we can see if there is a<br class="">
hole in the setup you don’t see yet.<br class="">
<br class="">
Eliezer<br class="">
<br class="">
----<br class="">
http://ngtech.co.il/lmgtfy/<br class="">
Linux System Administrator<br class="">
Mobile: +972-5-28704261<br class="">
Email: eliezer@ngtech.co.il<br class="">
<br class="">
<br class="">
From: squid-users [mailto:squid-users-bounces@lists.squid-cache.org] On<br class="">
Behalf Of Sameh Onaissi<br class="">
Sent: Wednesday, December 21, 2016 7:14 PM<br class="">
To: squid-users@lists.squid-cache.org<br class="">
Subject: [squid-users] Bypassed Proxy<br class="">
<br class="">
Hello all, <br class="">
<br class="">
I got a transparent squid installed on Ubuntu 16.04<br class="">
<br class="">
Using squid guard, I am blocking certain websites, including youtube.<br class="">
<br class="">
Anytime a user tries accessing it, he/she is redirected to an access denied<br class="">
page.<br class="">
<br class="">
Except for ONE user!<br class="">
<br class="">
One user is somehow, able to access you tube through squid!<br class="">
That IP is not on the exempt list, and has no special configurations.<br class="">
<br class="">
access.log:<br class="">
<br class="">
1482339083.228 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443<br class="">
- HIER_NONE/- text/html<br class="">
1482339083.324 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443<br class="">
- HIER_NONE/- text/html<br class="">
1482339083.331 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443<br class="">
- HIER_NONE/- text/html<br class="">
1482339083.422 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443<br class="">
- HIER_NONE/- text/html<br class="">
1482339083.436 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443<br class="">
- HIER_NONE/- text/html<br class="">
1482339083.517 0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443<br class="">
- HIER_NONE/- text/html<br class="">
1482339086.251 0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443<br class="">
- HIER_NONE/- text/html<br class="">
<br class="">
<br class="">
Any other user tries and gets:<br class="">
<br class="">
1482339588.002 350 10.0.0.40 TCP_MISS/200 611 GET<br class="">
https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html<br class="">
<br class="">
That is the redirect html page.<br class="">
<br class="">
My deny list where youtube is:<br class="">
<br class="">
var/lib/squidguard/db/deny/urls has http://www.youtube.com<br class="">
var/lib/squidguard/db/deny/domains has http://youtube.com<br class="">
<br class="">
<br class="">
Any idea to how he is doing it?<br class="">
<br class="">
I can add a rule to specifically deny 10.0.0.162, but I want to know how he<br class="">
is doing it to prevent it for others. Also this is a dynamic IP.<br class="">
<br class="">
Thank you,<br class="">
Sam<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>