<html><head></head><body><div class="ydpb042b85dyahoo-style-wrap" style="font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 13px;"><div id="ydpb042b85dyiv6377913569"><div class="ydpb042b85dyiv6377913569ydpc09d74c0yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:13px;"><div></div>
<div dir="ltr">Hi Amos</div><div dir="ltr"><br clear="none"></div><div dir="ltr">Thanks for your response and suggestions and I will incorporate your inputs in the configuration.</div><div dir="ltr">Please find the below contents of denylist as I am unable to attach as a document due to restrictions.</div><div dir="ltr"><br clear="none"></div><div dir="ltr"><div dir="ltr" data-setdir="false"> <div><div>.hotmail.com</div><div>*.appex-rf.msn.com</div><div>*.itunes.apple.com</div><div>auth.gfx.ms</div><div>broadcast.skype.com</div><div>c.bing.com</div><div>c.live.com</div><div>cl2.apple.com</div><div>client.hip.live.com</div><div>d.docs.live.net</div><div>directory.services.live.com</div><div>docs.live.net</div><div>en-us.appex-rf.msn.com</div><div>foodanddrink.services.appex.bing.com</div><div>login.live.com</div><div>mail.google.com</div><div>ms.tific.com</div><div>odcsm.officeapps.live.com</div><div>officeimg.vo.msecnd.net</div><div>outlook.uservoice.com</div><div>p100-sandbox.itunes.apple.com</div><div>partnerservices.getmicrosoftkey.com</div><div>protection.office.com</div><div>roaming.officeapps.live.com</div><div>sas.office.microsoft.com</div><div>sdk.hockeyapp.net</div><div>secure.meetup.com</div><div>signup.live.com</div><div>social.yahooapis.com</div><div>view.atdmt.com</div><div>watson.telemetry.microsoft.com</div><div>weather.tile.appex.bing.com</div><div>www.dropbox.com</div><div>www.googleapis.com</div><div>www.wunderlist.com</div><div>*.appex.bing.com</div><div>*.broadcast.skype.com</div><div>*.mail.protection.outlook.com</div><div>*.protection.office.com</div><div>*.protection.outlook.com</div><div>*.skype.com</div><div>*.skypeforbusiness.com</div><div>a.wunderlist.com</div><div>account.live.com</div><div>accounts.google.com</div><div>acompli.helpshift.com</div><div>api.diagnostics.office.com</div><div>api.dropboxapi.com</div><div>api.login.yahoo.com</div><div>api.meetup.com</div><div>app.adjust.com</div><div>app.box.com</div><div>bit.ly, www.acompli.com</div><div>by.uservoice.com</div><div>data.flurry.com</div><div>play.google.com</div><div>rink.hockeyapp.net</div><div>www.evernote.com</div><div>www.google-analytics.com</div><div>www.youtube.com</div><div>*.facebook.com</div><div>*.yahoo.com</div><div>*.msn.com</div><div>clients4.google.com</div><div>www.reddit.com</div><div><br></div></div><br></div><br clear="none"></div><div dir="ltr"><br clear="none"></div><div dir="ltr" data-setdir="false">Please find my responses and queries as well.</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">1. <b>Instead of dstdomain , I tried the url_regex as defined below and even it is not blocking the sites through the proxy.<br>Kindly let me know how to allow and block the sites ?<br clear="none"></b><div><div><br>acl allowedurl url_regex /etc/squid/allowed_url.txt</div><div>acl denylist url_regex /etc/squid/denylist.txt</div><div><br clear="none"></div></div><div dir="ltr" data-setdir="false">2. <b> I have defined only two ports 80 and 443 and removed all other ports. May I know whether the below order must be used since you stated the below "<span><span style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">All custom rules should follow those." Kindly let me know whether the below order is correct or not.</span></span></b><br><br><span><span style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">http_access deny !Safe_ports</span></span><br><span><div><div>http_access deny denylist</div><div>http_access allow allowedurl</div><div>http_access allow localhost manager</div><div>http_access allow localhost</div><div>http_access allow localnet</div><div>http_access deny manager</div></div></span>http_access deny all</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false"><br></div></div><div dir="ltr">Regards</div><div dir="ltr">Arjun K.</div><div><br clear="none"></div>
</div></div></div><div class="ydp85a94a86yiv6377913569yqt3933670619" id="ydp85a94a86yiv6377913569yqt94992"><div class="ydp85a94a86yiv6377913569ydpcbbb9a74yahoo_quoted" id="ydp85a94a86yiv6377913569ydpcbbb9a74yahoo_quoted_8886290992">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Tuesday, 5 May, 2020, 07:02:46 pm IST, Amos Jeffries <squid3@treenet.co.nz> wrote:
</div>
<div><br clear="none"></div>
<div><br clear="none"></div>
<div><div dir="ltr">On 6/05/20 12:58 am, Arjun K wrote:<br clear="none">> Hi All<br clear="none">> <br clear="none">> Can any one help on the below issue.<br clear="none">> I tried changing the order of deny and allow acl but it did not yield<br clear="none">> any result.<br clear="none">> <br clear="none"><br clear="none">What is the contents of the denylist.txt file?<br clear="none"><br clear="none">This usually happens when things in there are not the right dstdomain<br clear="none">syntax.<br clear="none"><br clear="none"><br clear="none"><br clear="none"><br clear="none"><br clear="none">> Regards<br clear="none">> Arjun K<br clear="none">> <br clear="none">> <br clear="none">> On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <<a shape="rect" href="mailto:email_arjun@yahoo.com" rel="nofollow" target="_blank">email_arjun@yahoo.com</a>><br clear="none">> wrote:<br clear="none">> <br clear="none">> <br clear="none">> Hi All<br clear="none">> <br clear="none">> The below is the configuration defined in the proxy server.<br clear="none">> The issue is that the proxy is not blocking the websites mentioned in a<br clear="none">> file named denylist.txt.<br clear="none">> Kindly let me know what needs to be changed to block the websites.<br clear="none">> <br clear="none">> <br clear="none">> <br clear="none">> ####IP Ranges allowed to use proxy<br clear="none">> acl localnet src 10.196.0.0/16<br clear="none">> acl localnet src 10.197.0.0/16<br clear="none">> acl localnet src 10.198.0.0/16<br clear="none">> acl localnet src 10.199.0.0/16<br clear="none">> acl localnet src 10.200.0.0/16<br clear="none"><br clear="none">These can be simplified:<br clear="none"><br clear="none"> acl localnet 10.196.0.0-10.200.0.0/16<br clear="none"><br clear="none"><br clear="none">> <br clear="none">> ####Allowed and Denied URLs<br clear="none">> acl allowedurl dstdomain /etc/squid/allowed_url.txt<br clear="none"><br clear="none">dstdomain and URL are different things. The name of this ACL is deceptive.<br clear="none"><br clear="none">> acl denylist dstdomain /etc/squid/denylist.txt<br clear="none">> <br clear="none">...<br clear="none"><br clear="none">You are missing the DoS protection checks:<br clear="none"><br clear="none"> http_access deny !Safe_ports<br clear="none"> http_access deny CONNECT !SSL_ports<br clear="none"><br clear="none">All custom rules should follow those.<br clear="none"><br clear="none"><br clear="none">> http_access allow CONNECT wuCONNECT localnet<br clear="none">> http_access allow windowsupdate localnet<br clear="none">> <br clear="none">> acl Safe_ports port 80 # http<br clear="none">> acl Safe_ports port 443 # https<br clear="none">> acl CONNECT method CONNECT<br clear="none">> <br clear="none">> http_access allow allowedurl<br clear="none">> http_access deny denylist<br clear="none">> http_access allow localhost manager<br clear="none">> http_access allow localhost<br clear="none">> http_access allow localnet<br clear="none">> http_access deny manager<br clear="none">> http_access deny !Safe_ports<br clear="none"><br clear="none">The manager and Safe_Ports checks are useless down here. Their entire<br clear="none">purpose is to prevent unauthorized access to dangerous protocols and<br clear="none">security sensitive proxy management API.<br clear="none"><br clear="none"><br clear="none">> http_access deny all<br clear="none">> <br clear="none">...<br clear="none">> <br clear="none">> refresh_pattern ^ftp: 1440 20% 10080<br clear="none">> refresh_pattern ^gopher: 1440 0% 1440<br clear="none">> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br clear="none">> refresh_pattern . 0 20% 4320<br clear="none"><br clear="none">No refresh_pattern following this line will ever match. The "." pattern<br clear="none">matches every URL possible. Order is important.<div class="ydp85a94a86yiv6377913569ydpcbbb9a74yqt1017347100" id="ydp85a94a86yiv6377913569ydpcbbb9a74yqtfd29095"><br clear="none"><br clear="none">> refresh_pattern -i<br clear="none">> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320<br clear="none">> 80% 43200 reload-into-ims<br clear="none">> refresh_pattern -i<br clear="none">> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%<br clear="none">> 43200 reload-into-ims<br clear="none">> refresh_pattern -i<br clear="none">> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%<br clear="none">> 43200 reload-into-ims</div><br clear="none">> <br clear="none"><br clear="none"><br clear="none">Amos<br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a shape="rect" href="mailto:squid-users@lists.squid-cache.org" rel="nofollow" target="_blank">squid-users@lists.squid-cache.org</a><br clear="none"><a shape="rect" href="http://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><div class="ydp85a94a86yiv6377913569ydpcbbb9a74yqt1017347100" id="ydp85a94a86yiv6377913569ydpcbbb9a74yqtfd30911"><br clear="none"></div></div></div>
</div>
</div></div></body></html>