[squid-users] All website getting Blocked
Amos Jeffries
squid3 at treenet.co.nz
Thu Aug 4 09:09:29 UTC 2016
On 4/08/2016 8:04 p.m., Harsha S Aryan wrote:
> this is my squid conf file.
>
> #############################################
>
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl allowed_sites dstdomain "/etc/squid3/Allowed_Sites.txt"
> acl blocked_ip src "/etc/squid3/Blocked_Ip.txt"
> acl allowed_ip dst "/etc/squid3/Allowed_Ip.txt"
> acl allcomputers src 192.168.1.0/255.255.255.0
> acl allcomputers src 192.168.2.0/255.255.255.0
> acl all_others dst 0.0.0.0/0.0.0.0
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl all src all
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny all
> http_port 3128
> http_port 80 vhost
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid3/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
> refresh_pattern \.js$ 1440 0% 4320
> refresh_pattern \.(PNG|png)$ 1440 0% 4320
> refresh_pattern . 0 20% 4320
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
> hosts_file /etc/hosts
> coredump_dir /var/spool/squid3
>
> ###################################################
>
> On Wed, Aug 3, 2016 at 10:23 PM, Harsha S Aryan <harsha.s.aryan at gmail.com>
> wrote:
>
>>
>> ---------- Forwarded message ----------
>> From: Harsha S Aryan <harsha.s.aryan at gmail.com>
>> Date: Wed, Aug 3, 2016 at 10:22 PM
>> Subject: All website getting Blocked
>> To: squid-users at lists.squid-cache.org
>>
>>
>> Hi,
>>
>> All website getting Blocked
>> using squid3
>> ubuntu 14.04
>> Squid Cache: Version 3.3.8
>>
>>
>> conf file
>>
>>
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
No auth helper is configurred, making the above useless. You can remove.
>> acl allowed_sites dstdomain "/etc/squid3/Allowed_Sites.txt"
>> acl blocked_ip src "/etc/squid3/Blocked_Ip.txt"
>> acl allowed_ip dst "/etc/squid3/Allowed_Ip.txt"
>> acl allcomputers src 192.168.1.0/255.255.255.0
>> acl allcomputers src 192.168.2.0/255.255.255.0
>> acl all_others dst 0.0.0.0/0.0.0.0
Thats all quite odd. Not used anyhow, so you can erase all of the above.
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>> acl all src all
"all" is now a built-in directive. You can remove the above line.
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
"localhost" in modern systems includes the IP address ::1 from IPv6.
The to_localhost should also be including the 0.0.0.0/32 address which
some networking systems treat as localhost. This is a security
protection so needs to be configured right to work. You have not used it
anywhere though, so you can remove the definition entirely if you like.
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localhost
>> http_access deny all
In other words, this proxy will only accept requests coming from
locahost (127.0.0.1). No other clients are permitted to use the proxy
for HTTP.
>> http_port 3128
>> http_port 80 vhost
>> hierarchy_stoplist cgi-bin ?
Above is an obsolete directive. Remove.
>> access_log /var/log/squid3/access.log squid
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
>> refresh_pattern \.js$ 1440 0% 4320
>> refresh_pattern \.(PNG|png)$ 1440 0% 4320
>> refresh_pattern . 0 20% 4320
>> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
>> upgrade_http0.9 deny shoutcast
The shoutcast stuff is obsolete old Squid-2.7 config. Squid-3 has native
ICY / SHOUTcast / ICEcast support. There is no config required.
>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
extension_methods are also obsolete in Squid-3. All methods, including
unknown ones are treated properly.
>> hosts_file /etc/hosts
That is the default location for Limux systems. No need to configure
hosts_file like this.
>> coredump_dir /var/spool/squid3
>>
>> Please let me know if anything is missing
>>
What are you intending this proxies purpose to be?
Amos
More information about the squid-users
mailing list