[squid-users] http_access deny for dstdomain acl not denying access to url.. what am I doing wrong?

Walter H. Walter.H at mathemainzel.info
Wed Oct 15 05:56:06 UTC 2014 

acl allow_urls url_regex -i "/etc/squid/allowurls-regex-acl.squid" (a)
acl block_urls url_regex -i "/etc/squid/blockurls-regex-acl.squid" (b)
acl allow_urlpaths urlpath_regex -i 
"/etc/squid/allowurlpaths-regex-acl.squid" (c)
acl block_urlpaths urlpath_regex -i 
"/etc/squid/blockurlpaths-regex-acl.squid" (d)
acl allow_domains_list dstdomain 
"/etc/squid/allowdomains-list-acl.squid" (e)
acl block_domains_list dstdomain 
"/etc/squid/blockdomains-list-acl.squid" (f)
acl block_domains_listex dstdomain 
"/etc/squid/blockdomains-listex-acl.squid" (g)
acl allow_domains_regex dstdom_regex -i 
"/etc/squid/allowdomains-regex-acl.squid" (h)
acl block_domains_regex dstdom_regex -i 
"/etc/squid/blockdomains-regex-acl.squid" (i)
acl block_hosts_list dst "/etc/squid/blockhosts-list-acl.squid" (j)
deny_info ERR_URL_BLOCKED block_urls
deny_info ERR_URL_BLOCKED block_urlpaths
deny_info ERR_DOMAIN_BLOCKED block_domains_list
deny_info ERR_DOMAIN_BLOCKED block_domains_listex
deny_info ERR_DOMAIN_BLOCKED block_domains_regex
deny_info ERR_HOST_BLOCKED block_hosts_list
http_access allow allow_urls
http_access allow allow_urlpaths
http_access allow allow_domains_list
http_access allow allow_domains_regex
http_access deny block_urls
http_access deny block_urlpaths
http_access deny block_domains_list
http_access deny block_domains_listex
http_access deny block_domains_regex
http_access deny block_hosts_list

(a), (b) look like this: 
"^http:\/\/websupport\.wdc\.com\/sfclickcount.asp\?"
(c), (d) look like this: "^\/cgi-bin\/"
(e), (f), (g) look like this: "www.googletagmanager.com"
(h), (i) look like this: "^banner(s)?[0-9]*\."
(j) looks like this: "85.17.30.143"

(g) comes from a source like: e.g. http://winhelp2002.mvps.org/hosts.htm

On 15.10.2014 02:05, Mirza Dedic wrote:
> Trying to understand what I am doing wrong with my ACLs (yes I've read 
> the ACL guide on squid site.. but still confused).. My client is 
> 172.16.10.101, trying to block access to facebook (and other dstdomain 
> file lists), but it is not working from the client I can still access fb.
>
> Is this because I have this rule below..?
>
> acl localnet src 172.16.0.0/12
> http_access allow localnet
>
yes

> Instead of denying everything access and manually maintaining rules, I 
> want to allow http/https access for everything except explicitly 
> defined ACLs (in this case the facebook acl as a test).
>
> I've tried to set debugging to debug_options ALL,1 33,2 to see more 
> info on ACLs (read on some site this is the debug flags to set) but I 
> don't see any ACL details in my access.log file.
>
> my squid.conf (for SQUID 3.3.3) file is below..
>
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>
> acl SSL_ports port 443 8180 8443 563 1494 2598 8531
> acl Safe_ports port 80# http
> acl Safe_ports port 81 # http for Pacific Brokerage
> acl Safe_ports port 21# ftp
> acl Safe_ports port 443 563# http
> acl Safe_ports port 70# gopher
> acl Safe_ports port 210# wais
> acl Safe_ports port 280# http-mgmt
> acl Safe_ports port 488# gss-http
> acl Safe_ports port 591# filemaker
> acl Safe_ports port 777# multiling http
> acl Safe_ports port 8080 8081 8082 8088 8180
> acl Safe_ports port 3128 # Squid http server
> acl Safe_ports port 1494 2598 # ICA - Citrix
> acl Safe_ports port 7000 8000 # Oracle
> acl Safe_ports port 9000 # Oracle
> acl Safe_ports port 8530# WSUS
> acl Safe_ports port 55905# WSUS
> acl Safe_ports port 1025-65535# unregistered ports
> acl CONNECT method CONNECT
>
> http_access allow localhost manager
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
>
> *acl ads dstdomain "/etc/squid/blacklists/ads/domains"*
> *acl adult dstdomain "/etc/squid/blacklists/adult/domains"*
> *acl gambling dstdomain "/etc/squid/blacklists/gambling/domains"*
> *acl fb dstdomain .facebook.com*
>
> http_access allow localnet
> http_access allow localhost
>
> *http_access deny ads adult gambling fb*
>
> http_access deny all
>
> http_port 8080
> dns_nameservers 172.16.11.3 172.16.11.2 172.16.11.1
> visible_hostname www-proxy
>
> hierarchy_stoplist cgi-bin ?
>
> logformat oppy %ts.%03tu %6tr %>a %>A %Ss/%03>Hs %<st %rm %ru %[un 
> %Sh/%<a %mt
> access_log daemon:/var/log/squid/access.log oppy
> cache_store_log daemon:/var/log/squid/store.log
> cache_log /var/log/squid/cache.log
> cache_mem 64 MB
> logfile_rotate 4
> debug_options ALL,1
> # ACL Debug Options
> # debug_options ALL,1 33,2
> # debug_options ALL,1 33,2 28,9
> coredump_dir /var/log/squid/squid
>
> shutdown_lifetime 3 seconds
> dns_v4_first on
> retry_on_error on
> forward_max_tries 25
> forward_timeout 30 seconds
> connect_timeout 30 seconds
> read_timeout 30 seconds
> request_timeout 30 seconds
> persistent_request_timeout 1 minute
>
> cache_dir ufs /var/cache/squid 100 16 256
> cache_mgr ittechs at domain.com
>
> snmp_port 0
> icp_port 0
> htcp_port 0
>
> refresh_pattern ^ftp:144020%10080
> refresh_pattern ^gopher:14400%1440
> refresh_pattern -i (/cgi-bin/|\?) 00%0
> refresh_pattern .020%4320
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141015/be85a5a9/attachment.html>

More information about the squid-users mailing list