[squid-users] HTTPS - THE PROXY SERVER IS REFUSING
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 19 13:26:40 UTC 2016
Hm, beside the order, it looks good.
So if i understand correct, you want to deny everything except whats in your whitelist_primaire file.?
Than take this copy of my home config, and i adjusted to your settings already.
so you should be able to copy past this. ;-)
it mostly a default file
for the learning process. Look where i put your rules and look at the order.
#--------------FROM HERE ---------------------------
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
# own ACL rules
acl localnet src 192.168.0.0/24 # RFC 1918 local private network (LAN)
# and maybe also add : acl localnet src 192.168.1.0/24 # RFC 1918 local private network (LAN)
#
# OR acl localnet src 192.168.0.0/23 # RFC 1918 local private network (LAN)
# since i see 192.168.0.0 and 192.168.1.x in you mails.
# acl to explicit allowed sites.
acl whitelist_prim dstdomain "/etc/squid3/whitelist_primaire"
## To always block ads, put them above all other rules.
## optional block advertising site rules here.
## https://calomel.org/squid_adservers.html
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Allow sites in whitelist_primaire
http_access allow whitelist_prim
# Deny sites not in whitelist_primaire
http_access deny !whitelist_prim
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# other rules
http_port 192.168.0.28:3128
cache_mem 512 MB
maximum_object_size_in_memory 1024 KB
cache_dir ufs /var/spool/squid3 5000 16 256
###################################
## If /dev/null is specified to any of the above log files,
## logfile rotate MUST also be set to 0 or else risk Squid
## rotating away /dev/null making it a plain log file
######################################
access_log daemon:/var/log/squid3/access.log squid
#access_log none
cache_log /var/log/squid3/cache.log
#cache_log /dev/null
cache_store_log /var/log/squid3/cache.log
#cache_store_log none
#######################################
coredump_dir /var/spool/squid3
# change this to you country code the "nl" to ..
error_directory /usr/share/squid-langpack/nl
pinger_enable off
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
httpd_suppress_version_string on
#--------------TO HERE ---------------------------
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> adego70 at gmail.com
> Verzonden: vrijdag 19 augustus 2016 13:38
> Aan: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] HTTPS - THE PROXY SERVER IS REFUSING
>
> Thank you for your help (both L.P.H. van Belle & Amos Jeffries).
>
> I changed my squid.conf but now, I don't obtain any url deny...
> In fact, any http & https url are allowed even if they not in
> whitelist_primaire.
> I made many tests but I can't find the good way...
> Please find enclosed the conf for Firefox.
>
> My new conf :
> http_port 3128
> acl localnet src 192.168.0.0/24 # RFC 1918 local private network (LAN)
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 1025-65535 # unregistered ports
>
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
>
>
> acl whitelist_prim dstdomain "/etc/squid3/whitelist_primaire"
> http_access deny !whitelist_prim
>
> http_access allow localnet
> http_access allow localhost
> http_access deny all
>
> coredump_dir /var/spool/squid3
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160819/11dceed9/attachment-0001.html>
More information about the squid-users
mailing list