[squid-users] acl for redirect - re Amos

Mike mcsnv96 at afo.net
Fri Jun 26 16:09:45 UTC 2015


Amos,

I would like to use e2guardian if possible, and after checking it out, 
http://www.google.com/webhp?nord=1 does force the insecure, but previous 
entries attempted just cause all searches to loop back to that same url 
instead of passing it along.

We could use a regex option in squid, but since we want the rest of the 
sites to be handled normally through e2guardian, what acl entries would 
we use to set it up to only take effect on google.com? Essentially "if 
dstdomain = google.com then use acl blocklist /etc/squid/badwords".
I have not used a 2 layer or referring acl setup before, but before now 
never needed to.

Thank you so much for the help!

Mike


On 6/26/2015 0:29 AM, Amos Jeffries wrote:
> On 26/06/2015 2:36 a.m., Mike wrote:
>> Amos, thanks for info.
>>
>> The primary settings being used in squid.conf:
>>
>> http_port 8080
>> # this port is what will be used for SSL Proxy on client browser
>> http_port 8081 intercept
>>
>> https_port 8082 intercept ssl-bump connection-auth=off
>> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
>> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
>> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
>>
>>
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
>> sslcrtd_children 50 startup=5 idle=1
>> ssl_bump server-first all
>> ssl_bump none localhost
>>
>>
>> Then e2guardian uses 10101 for the browsers, and uses 8080 for
>> connecting to squid on the same server.
> Doesn;t matter. Due to TLS security requirements Squid ensures the TLS
> connection in re-encrypted on outgoing.
>
>
> I am doubtful eth nord works anymore since Googles own documentation for
> schools states that one must install a MITM proxy that does the traffic
> filtering - e2guardian is not one of those. IMO you should convert your
> e2guardian config into Squid ACL rules that can be applied to the bumped
> traffic without forcing http://
>
> But if nord does work, so should the deny_info in Squid. Something like
> this probably:
>
>   acl google dstdomain .google.com
>   deny_info 301:http://%H%R?nord=1 google
>
>   acl GwithQuery urlpath_regex ?
>   deny_info 301:http://%H%R&nord=1 GwithQuery
>
>   http_access deny google Gquery
>   http_access deny google
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



More information about the squid-users mailing list