[squid-users] New to Squid, Foward proxy problems with domain blocks.
Augusto Gabanzo
augusto.gabanzo at ole.com.do
Thu Jul 2 15:29:18 UTC 2015
Hello, as the subject says im new.
Been reading a lot and some examples and i do have a weird problem where i
can't block some domains. First and foremost im using the squid proxy for
windows version 2.7.8
as thats the only one for windows that works for me the 3.x versions always
deny requests from clients even with the default conf. I've been testing all
this in a production enviroment so ... help me!! please of i will get killed
soon :D.
my conf for 2.7.8 is(I modifying one that comes with proxy 3-1):
#Modified by Kyi Thar 15 March 2010
http_port 8080
cache_mgr helpdesk at ole.com.do
visible_hostname lotus.hidden
hierarchy_stoplist cgi-bin ?
cache_mem 64 MB
cache_replacement_policy heap LFUDA
cache_dir aufs c:/Squid/cache01 2000 16 256
cache_dir aufs c:/Squid/cache02 2000 16 256
cache_dir aufs c:/Squid/cache03 2000 16 256
cache_access_log c:/Squid/var/logs/access.log
cache_log c:/Squid/var/logs/cache.log
cache_store_log c:/Squid/var/logs/store.log
mime_table c:/Squid/etc/mime.conf
pid_filename c:/Squid/var/logs/squid.pid (this part here i dont know whats
its use as i cant find info about it on the net)
diskd_program c:/Squid/libexec/diskd.exe
unlinkd_program c:/Squid/libexec/unlinkd.exe
logfile_daemon c:/squid/libexec/logfile-daemon.exe
forwarded_for off
via off
httpd_suppress_version_string on
uri_whitespace strip
maximum_object_size 524288 KB
maximum_object_size_in_memory 1024 KB
#redirect_program c:/usr/local/squidGuard/squidGuard.exe
#authenication with Windows server (commented this part as i dont want users
to have to log on once more in the web pages I wasnt able to stop them from
doing so and my boss didnt like the extra hassle)
#auth_param basic program c:/squid/libexec/mswin_auth.exe -O HIDDEN
#auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
#auth_param ntlm children 5
#auth_param ntlm keep_alive on
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
(some of my computers are in this range)
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
(Dont use this range but i will make a DMZ for the servers with it)
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
(NORMAL range for users)
# catch certain bugs (for example with persistent connections)
and possibly
# buffer-overflow or denial-of-service attacks.
request_header_max_size 20 KB
reply_header_max_size 20 KB
#Limit upload to 2M and download to 10M (trying to stop users from uploading
big files to email sites and fb and download big files as i only have 6mbps
and 1mbps down/up bandwidth)
request_body_max_size 2048 KB
reply_body_max_size 10485760 deny localnet
# compressed (i moddief this part as instead of 0 they had 10080 and instead
of 10080 they had 999999 those times are too big files could stay forever
fresh! inside the cache)
refresh_pattern -i \.gz$ 0 90% 10080
refresh_pattern -i \.cab$ 0 90% 10080
refresh_pattern -i \.bzip2$ 0 90% 10080
refresh_pattern -i \.bz2$ 0 90% 10080
refresh_pattern -i \.gz2$ 0 90% 10080
refresh_pattern -i \.tgz$ 0 90% 10080
refresh_pattern -i \.tar.gz$ 0 90% 10080
refresh_pattern -i \.zip$ 0 90% 10080
refresh_pattern -i \.rar$ 000 90% 10080
refresh_pattern -i \.tar$ 0 90% 10080
refresh_pattern -i \.ace$ 0 90% 10080
refresh_pattern -i \.7z$ 0 90% 10080
# documents
refresh_pattern -i \.xls$ 0 90% 10080
refresh_pattern -i \.doc$ 0 90% 10080
refresh_pattern -i \.xlsx$ 0 90% 10080
refresh_pattern -i \.docx$ 0 90% 10080
refresh_pattern -i \.pdf$ 0 90% 10080
refresh_pattern -i \.ppt$ 0 90% 10080
refresh_pattern -i \.pptx$ 0 90% 10080
refresh_pattern -i \.rtf\?$ 0 90% 10080
# multimedia
refresh_pattern -i \.mid$ 0 90% 10080
refresh_pattern -i \.wav$ 0 90% 10080
refresh_pattern -i \.viv$ 0 90% 10080
refresh_pattern -i \.mpg$ 0 90% 10080
refresh_pattern -i \.mov$ 0 90% 10080
refresh_pattern -i \.avi$ 0 90% 10080
refresh_pattern -i \.asf$ 0 90% 10080
refresh_pattern -i \.qt$ 0 90% 10080
refresh_pattern -i \.rm$ 0 90% 10080
refresh_pattern -i \.rmvb$ 0 90% 10080
refresh_pattern -i \.mpeg$ 0 90% 10080
refresh_pattern -i \.wmp$ 0 90% 10080
refresh_pattern -i \.3gp$ 0 90% 10080
refresh_pattern -i \.mp3$ 0 90% 10080
refresh_pattern -i \.mp4$ 0 90% 10080
# images
refresh_pattern -i \.gif$ 0 90% 10080
refresh_pattern -i \.jpg$ 0 90% 10080
refresh_pattern -i \.png$ 0 90% 10080
refresh_pattern -i \.jpeg$ 0 90% 10080
refresh_pattern -i \.bmp$ 0 90% 10080
refresh_pattern -i \.psd$ 0 90% 10080
refresh_pattern -i \.ad$ 0 90% 10080
refresh_pattern -i \.gif\?$ 0 90% 10080
refresh_pattern -i \.jpg\?$ 0 90% 10080
refresh_pattern -i \.png\?$ 0 90% 10080
refresh_pattern -i \.jpeg\?$ 0 90% 10080
refresh_pattern -i \.psd\?$ 0 90% 10080
# application
refresh_pattern -i \.deb$ 0 90% 10080
refresh_pattern -i \.rpm$ 0 90% 10080
refresh_pattern -i \.msi$ 0 90% 10080
refresh_pattern -i \.exe$ 0 90% 10080
refresh_pattern -i \.dmg$ 0 90% 10080
# default refresh patterns
refresh_pattern ^ftp: 1440 20% 0
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
# if a file ends before finishing sends the quick abort if those parameters
comply ( i kinda forgot why i copied this from tha web )
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
#ACL to define ports allowed to passthrough Squid
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 84 # laboratorios cortina
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl CONNECT method CONNECT
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
acl fullvideo src "c:/squid/etc/ipfullvideo.sq" # here is a file with ips
allowed to see youtube and facebook videos , media streaming
acl bad_url url_regex -i "c:/squid/etc/bad-sites.sq" # .facebook.com
.twitter.com rule to block those sites for users inside ipbloqueada
acl ipbloqueada src 192.168.1.117/32 192.168.1.179/32 192.168.1.170/32
192.168.1.15/32 # ips of 3 users that shouldnt be accessing fb and twitter.
acl bad_ext urlpath_regex -i "c:/squid/etc/extensiones.sq" # rule to block
some file extesions like .avi$, .mpg$ etc stop downloads from them even if
they are smaller than 10MB (this doesn't WORK!)
#Media Streams i try to block streaming here downloaded this from your
site
## MediaPlayer MMS Protocol
acl media rep_mime_type mms
acl mediapr url_regex dvrplayer mediastream ^mms://
## (Squid does not yet handle the URI as a known proto type.)
## Active Stream Format (Windows Media Player)
acl media rep_mime_type x-ms-asf
##acl mediapr urlpath_regex \.(afx|asf)(\?.*)?$ #(regex make
squid 2.7.8 to blow up had to comment them)
## Flash Video Format
acl media rep_mime_type video/flv video/x-flv
##acl mediapr urlpath_regex \.flv(\?.*)?$ #(regex
make squid 2.7.8 to blow up had to comment them)
## Flash General Media Scripts (Animation)
acl media rep_mime_type application/x-shockwave-flash
##acl mediapr urlpath_regex \.swf(\?.*)?$ #(regex make
squid 2.7.8 to blow up had to comment them)
## Others currently unknown
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
# now we do the reall blocking here
http_access allow localnet #let the
network use the proxy
http_access allow localhost #let the
proxy server use itself ??( O_o i dont quite get this part.)
http_access allow manager localhost
http_access deny bad_url ipbloqueada #here i want all the urls
in BAD_URL from the ips IPBLOQUEADA to be denied used to work ... when i
started but now it doesnt i will show a sample of the file at the end
http_access deny bad_ext #block
reading of files with those extensions.
deny_info TCP_RESET bad_ext #send a tcp_reset
so they dont know proxy blocked them
http_reply_access deny media !fullvideo # here i try to deny
access to media to all but those inside fullvideo (doesnt quite work either
youtube loads and works :D) some other streaming are blocked well
##http_access deny mediapr
# And finally deny all other access to this proxy
http_access deny all
#always_direct allow all # i
feel this part is to let squidguard work, i removed it cuz it blocked
youtube and many other sites i bet that was because the ads.
icon_directory c:/Squid/share/icons
error_directory c:/Squid/share/errors/Spanish
coredump_dir c:/Squid
##This is bad_sites.sq
.fanfiction.net
.meebo.com
.playboy.com
.myspace.com
.sexo.com
.facebook.com
.twitter.com
.hi5.com
plus.google.com
.identi.li
## this is extensiones.sq
.mp3$
.exe$
.com$
.bat$
.pif$
.avi$
.mpg$
.zip$
.rar$
.z7$
##this is ipfullvideo.sq
192.168.1.36
192.168.1.51
192.168.1.67
192.168.1.170
192.168.1.171
192.168.1.185
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150702/d6414e97/attachment-0001.html>
More information about the squid-users
mailing list