[squid-users] Fwd: Re: TCP_DENIED/403

Lorenzo navari.lorenzo at gmail.com
Wed Nov 5 10:13:15 UTC 2014 



thank for replay

SO = CentOS 7

squid-3.4.6-1.el7.centos.x86_64

=====================================================

[root at lv-034-005 squid]# cat squid.conf
#
# Recommended minimum configuration:
#

#Default: debug_options ALL,1
#more    : debug_options ALL,1 33,2 28,9
debug_options ALL,1 28,3

visible_hostname proxy.usl1.toscana.it
append_domain .usl1.toscana.it
ftp_passive on
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .            0 20% 4320
error_directory /etc/squid/errors
maximum_object_size 8192 KB
cache_dir ufs /var/spool/squid 8192 16 128
cache_log none
cache_store_log none
cache_mem 512 MB

#####################################################################################

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443 563 445 8080 10443 27443 28443
#acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 22        # telnet
acl Safe_ports port 443    563 445 # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
##################################################################

## ACL definition ##
acl siti_proibiti  url_regex  "/etc/squid/siti.proibiti.squid"

## ACL application ##
http_access deny siti_proibiti

##################################################################

# LDAP AUTH -
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b
ou=users,dc=usl1,dc=toscana,dc=it -H ldap://portale3.usl1.toscana.it/
auth_param basic children 5
auth_param basic realm Accesso ad Internet
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl user_authentication proxy_auth REQUIRED
http_access allow user_authentication

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
[root at lv-034-005 squid]#

================================================================
[root at lv-034-005 squid]# cat siti.proibiti.squid
facebook\.(com|org|info|net|it)
twitter\.(com|org|info|net|it)
\.sex\.(com|org|info|net|it)
google-analytics\.com
youporn\.com
adultfriend\.com
pornhub\.com
sex
porn
games
giochi
gaytube\.com
amantesorgias\.com
porno\.com
www\.topgirlsitalia\.it
\.twitter\.com
\.myspace\.com
\.hi5\.com
\.teamviewer\.com
fbcdn-sphotos-e-a.akamaihd.net
[root at lv-034-005 squid]#






Il 05/11/2014 10:52, Antony Stone ha scritto:
> On Wednesday 05 November 2014 at 10:39:19 (EU time), navari.lorenzo at gmail.com
> wrote:
>
>> I'm configuring a Squid Web Proxy Cache and I apply the deny policy to some
>> sites.  This is the problem:
>>
>> when people access sites with GET they have the right html error page
>> ERR_ACCES_DENIED
>> (LOG = TCP_DENIED/403 4069 GET http://www.sex.com/ - HIER_NONE/- text/html)
>>
>> when people access sites with CONNECT they DON'T have the right html
>> error page
>> but te message CONNECTION REFUSED BY PROXY SERVER
>> (LOG = TCP_DENIED/403 3681 CONNECT facebook.com:443 - HIER_NONE/-
>> text/html)
>>
>> I would like to have the same error page for all.
>>
>> Can anyone help ??
> Please tell us the version of Squid you are using, and show us the rules you
> have implemented for the "deny policy".
>
>
> Regards,
>
>
> Antony.
>

More information about the squid-users mailing list