[squid-users] All website getting Blocked

Amos Jeffries squid3 at treenet.co.nz
Thu Aug 4 09:09:29 UTC 2016


On 4/08/2016 8:04 p.m., Harsha S Aryan wrote:
> this is my squid conf file.
> 
> #############################################
> 
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl allowed_sites dstdomain "/etc/squid3/Allowed_Sites.txt"
> acl blocked_ip src "/etc/squid3/Blocked_Ip.txt"
> acl allowed_ip dst "/etc/squid3/Allowed_Ip.txt"
> acl allcomputers src 192.168.1.0/255.255.255.0
> acl allcomputers src 192.168.2.0/255.255.255.0
> acl all_others dst 0.0.0.0/0.0.0.0
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl all src all
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny all
> http_port 3128
> http_port 80 vhost
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid3/access.log squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern (Release|Package(.gz)*)$        0       20%     2880
> refresh_pattern \.js$ 1440 0% 4320
> refresh_pattern \.(PNG|png)$ 1440 0% 4320
> refresh_pattern .               0       20%     4320
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> upgrade_http0.9 deny shoutcast
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
> hosts_file /etc/hosts
> coredump_dir /var/spool/squid3
> 
> ###################################################
> 
> On Wed, Aug 3, 2016 at 10:23 PM, Harsha S Aryan <harsha.s.aryan at gmail.com>
> wrote:
> 
>>
>> ---------- Forwarded message ----------
>> From: Harsha S Aryan <harsha.s.aryan at gmail.com>
>> Date: Wed, Aug 3, 2016 at 10:22 PM
>> Subject: All website getting Blocked
>> To: squid-users at lists.squid-cache.org
>>
>>
>> Hi,
>>
>> All website getting Blocked
>> using squid3
>> ubuntu 14.04
>> Squid Cache: Version 3.3.8
>>
>>
>> conf file
>>
>>
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off

No auth helper is configurred, making the above useless. You can remove.

>> acl allowed_sites dstdomain "/etc/squid3/Allowed_Sites.txt"
>> acl blocked_ip src "/etc/squid3/Blocked_Ip.txt"
>> acl allowed_ip dst "/etc/squid3/Allowed_Ip.txt"
>> acl allcomputers src 192.168.1.0/255.255.255.0
>> acl allcomputers src 192.168.2.0/255.255.255.0
>> acl all_others dst 0.0.0.0/0.0.0.0

Thats all quite odd. Not used anyhow, so you can erase all of the above.

>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

>> acl all src all

"all" is now a built-in directive. You can remove the above line.

>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8

"localhost" in modern systems includes the IP address ::1 from IPv6.

The to_localhost should also be including the 0.0.0.0/32 address which
some networking systems treat as localhost. This is a security
protection so needs to be configured right to work. You have not used it
anywhere though, so you can remove the definition entirely if you like.

>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 21          # ftp
>> acl Safe_ports port 443         # https
>> acl Safe_ports port 70          # gopher
>> acl Safe_ports port 210         # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280         # http-mgmt
>> acl Safe_ports port 488         # gss-http
>> acl Safe_ports port 591         # filemaker
>> acl Safe_ports port 777         # multiling http
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow localhost
>> http_access deny all

In other words, this proxy will only accept requests coming from
locahost (127.0.0.1). No other clients are permitted to use the proxy
for HTTP.


>> http_port 3128
>> http_port 80 vhost
>> hierarchy_stoplist cgi-bin ?

Above is an obsolete directive. Remove.

>> access_log /var/log/squid3/access.log squid
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>> refresh_pattern (Release|Package(.gz)*)$        0       20%     2880
>> refresh_pattern \.js$ 1440 0% 4320
>> refresh_pattern \.(PNG|png)$ 1440 0% 4320
>> refresh_pattern .               0       20%     4320
>> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
>> upgrade_http0.9 deny shoutcast

The shoutcast stuff is obsolete old Squid-2.7 config. Squid-3 has native
ICY / SHOUTcast / ICEcast support. There is no config required.

>> acl apache rep_header Server ^Apache
>> broken_vary_encoding allow apache
>> extension_methods REPORT MERGE MKACTIVITY CHECKOUT

extension_methods are also obsolete in Squid-3. All methods, including
unknown ones are treated properly.

>> hosts_file /etc/hosts

That is the default location for Limux systems. No need to configure
hosts_file like this.

>> coredump_dir /var/spool/squid3
>>
>> Please let me know if anything is missing
>>

What are you intending this proxies purpose to be?


Amos



More information about the squid-users mailing list