[squid-users] HTTPS - THE PROXY SERVER IS REFUSING

L.P.H. van Belle belle at bazuin.nl
Fri Aug 19 13:26:40 UTC 2016


Hm, beside the order, it looks good. 

 

So if i understand correct, you want to deny everything except whats in your whitelist_primaire file.? 

 

Than  take this copy of my home config, and i adjusted to your settings already. 

so you should be able to copy past this. ;-)  

it mostly a default file 

 

for the learning process. Look where i put your rules and look at the order. 

 

 

#--------------FROM HERE ---------------------------

acl SSL_ports port 443

 

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 1025-65535  # unregistered ports

acl CONNECT method CONNECT

 

# own ACL rules

acl localnet src 192.168.0.0/24 # RFC 1918 local private network (LAN)

 

# and maybe also add : acl localnet src 192.168.1.0/24 # RFC 1918 local private network (LAN)

#

# OR acl localnet src 192.168.0.0/23 # RFC 1918 local private network (LAN)

# since i see 192.168.0.0 and 192.168.1.x in you mails. 

 

# acl to explicit allowed sites.

acl whitelist_prim dstdomain "/etc/squid3/whitelist_primaire"

 

## To always block ads, put them above all other rules. 

## optional block advertising site rules here.  

## https://calomel.org/squid_adservers.html 

 

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

 

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

 

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny to_localhost

 

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

 

#  Allow sites in whitelist_primaire 

http_access allow whitelist_prim

 

# Deny sites not in whitelist_primaire 

http_access deny !whitelist_prim

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

 

# And finally deny all other access to this proxy

http_access deny all

 

# other rules

 

http_port 192.168.0.28:3128

 

cache_mem 512 MB

maximum_object_size_in_memory 1024 KB

 

cache_dir ufs /var/spool/squid3 5000 16 256

 

###################################

## If /dev/null is specified to any of the above log files,

## logfile rotate MUST also be set to 0 or else risk Squid

## rotating away /dev/null making it a plain log file

######################################

access_log daemon:/var/log/squid3/access.log squid

#access_log none

cache_log /var/log/squid3/cache.log

#cache_log /dev/null

cache_store_log /var/log/squid3/cache.log

#cache_store_log none

#######################################

 

coredump_dir /var/spool/squid3

# change this to you country code the "nl" to .. 

error_directory /usr/share/squid-langpack/nl

 

pinger_enable off

 

 

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

httpd_suppress_version_string on

 

 

#--------------TO  HERE ---------------------------

 

Greetz, 

 

Louis

 

 

> -----Oorspronkelijk bericht-----

> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens

> adego70 at gmail.com

> Verzonden: vrijdag 19 augustus 2016 13:38

> Aan: squid-users at lists.squid-cache.org

> Onderwerp: Re: [squid-users] HTTPS - THE PROXY SERVER IS REFUSING

> 

> Thank you for your help (both L.P.H. van Belle & Amos Jeffries).

> 

> I changed my squid.conf but now, I don't obtain any url deny...

> In fact, any http & https url are allowed even if they not in

> whitelist_primaire.

> I made many tests but I can't find the good way...

> Please find enclosed the conf for Firefox.

> 

> My new conf :

> http_port 3128

> acl localnet src 192.168.0.0/24 # RFC 1918 local private network (LAN)

> 

> acl SSL_ports port 443

> 

> acl Safe_ports port 80          # http

> acl Safe_ports port 21          # ftp

> acl Safe_ports port 443         # https

> acl Safe_ports port 70          # gopher

> acl Safe_ports port 210         # wais

> acl Safe_ports port 280         # http-mgmt

> acl Safe_ports port 488         # gss-http

> acl Safe_ports port 591         # filemaker

> acl Safe_ports port 777         # multiling http

> acl Safe_ports port 1025-65535  # unregistered ports

> 

> acl CONNECT method CONNECT

> 

> http_access deny !Safe_ports

> http_access deny CONNECT !SSL_ports

> http_access allow localhost manager

> http_access deny manager

> 

> 

> acl whitelist_prim dstdomain "/etc/squid3/whitelist_primaire"

> http_access deny !whitelist_prim

> 

> http_access allow localnet

> http_access allow localhost

> http_access deny all

> 

> coredump_dir /var/spool/squid3

> 

> refresh_pattern ^ftp:           1440    20%     10080

> refresh_pattern ^gopher:        1440    0%      1440

> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

> refresh_pattern .               0       20%     4320

> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160819/11dceed9/attachment-0001.html>


More information about the squid-users mailing list