[squid-users] ACL-by time- not working. Help!

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 28 03:57:41 UTC 2020


On 28/08/20 3:40 am, Luis Mario Niedas Hernández wrote:
> Hello. I need restrict some site by time, but i am not doing well.
> This is my squid.conf. Please help me to fix the problem. I don't know
> why it is not working.
> 

It is not clear what your problem actually is.

An educated guess tells me that you have missed two important details:

 1) your http_access lines are just a long list of allow, allow, allow.
Squid has no reason to deny.

To resolve this you need to write out your policy(s) in the form of
denials. Allowing only the good traffic that remains.

For best performance sort the lines by ACL checking speed and how much
traffic they can drop. The faster it can identify and deny bad traffic
the more speed can go towards the good traffic.


 2) those FB and YT websites use HTTPS and http_access controls only
apply when an HTTPS connection is established. The TLS connection itself
may remain open and continue to be used indefinitely.

You can use the client_lifetime directive to shorten the time CONNECT
tunnels are allowed to remain in use. For your specific case I would set
it to something like 5 minutes. Browsers can auto-recover so this length
should not be visible to clients, but you will want to test that to
confirm what is good for your needs.


There are several other things about your config file that indicate
extremely outdated practices or Squid version. Below is a free audit
report of things that need fixing.


If you are running a Squid older than 3.5 please update ASAP. Then apply
the changes below.

If you are running a Squid v3.5 or newer then you can fix these issues
now with just a check to confirm the change is okay.


> 
> ### autenticacion de los usuarios (http
> básica)############################################
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/usuarios_inet
> auth_param basic realm Introduzca su usuario para navegar por la WEB.
> 
> ### por donde responde el squid ###
> ####################################################
> 
> http_port 192.168.1.3:3128
> http_port 127.0.0.1:3128

Are there other IPs assigned to the machine Squid is running on which
you definitely don't want offering proxy service?

If no, then you can replace both those with this line:
  http_port 3128

If yes, then you should replace just the second one with:
  http_port localhost:3128


> 
> ########## ACL ###########################################################################
> #
> # Recommended minimum configuration:
> 

You are missing the very critical port safety checks. These are to
prevent your proxy being DoS'ed or uses as an attack vector against
other software in your LAN.

At worst, you may need to "open" some specific ports by adding them to
the Safe_ports and/or SSL_ports ACL definitions. But generally this is
not necessary, and should only be done after investigating carefully
what that port is used for, including things *other* than the reason you
are asked to open it.


> acl all src all

Since Squid-3.1 the "all "ACL has been built into Squid. You can remove
this line, it does nothing.


> acl localhost src 127.0.0.1/32

On all modern machines localhost include the ::1/128 address. Even when
the machine is IPv4-only connectivity to the network. Localhost is about
connections within the machine itself and IPv4-only OS no longer exist.


> acl localnet src 192.168.1.0/24

No LAN IPv6 ranges? that is something everyone should be planning for a
decade ago.


> acl manager_proto_cache proto cache_object

Since Squid-3.2 the "manager" ACL has been built into Squid. There are
feature changes to the management URLs that need to be controlled by it
and the built-in definition handles those.

Please remove the above ACL line and convert anything that used it to
use the ACL named "manager" instead.


> acl peticion_identificacion proxy_auth REQUIRED
> acl intranet dstdomain intra.xzy
> 
> acl ocio dstdomain  .facebook.com .youtube.com
> 
> acl ocio_medio_dia time MTWHF 12:00-13:10
> acl ocio_tarde time MTWHF 14:00-14:30
> acl ocio_mannana time MTWHF 6:00-8:30
> 
> http_access allow localnet manager_proto_cache
> http_access allow localhost manager_proto_cache
> http_access deny manager_proto_cache

> http_access allow ocio ocio_tarde
> http_access allow ocio ocio_medio_dia
> http_access allow ocio ocio_mannana

Do you really want your proxy to be allowing anyone anywhere in the
world to access those websites through your proxy?

I think these "ocio" lines should look like:

  http_access deny ocio !ocio_tarde !ocio_medio_dia !ocio_mannana

Or, you can combine the time periods into one ACL check for better speed
and understanding:

  acl ocio_tempo time MTWHF 12:00-13:10
  acl ocio_tempo time MTWHF 14:00-14:30
  acl ocio_tempo time MTWHF 6:00-8:30

  http_access deny ocio !ocio_tempo


> 
> http_access allow intranet

I am guessing here. But I think this means you do not want to require
login to access the intranet website.


> http_access allow localnet peticion_identificacion

For more reliable authentication this should be:

  http_access deny !peticion_identificacion
  http_access allow localnet

Or, assuming the above about intranet:

  http_access deny !intranet !peticion_identificacion
  http_access allow localnet

> 
> always_direct allow intranet
> http_access deny all
> never_direct allow all
> 

In summary, I think this access control section should look like the
below lines:

  acl SSL_ports port 443

  acl Safe_ports port 80		# http
  acl Safe_ports port 21		# ftp
  acl Safe_ports port 443		# https
  acl Safe_ports port 70		# gopher
  acl Safe_ports port 210		# wais
  acl Safe_ports port 1025-65535	# unregistered ports
  acl Safe_ports port 280		# http-mgmt
  acl Safe_ports port 488		# gss-http
  acl Safe_ports port 591		# filemaker
  acl Safe_ports port 777		# multiling http

  acl localhost src 127.0.0.1/32 ::1/128
  acl localnet src 192.168.1.0/24

  acl peticion_identificacion proxy_auth REQUIRED
  acl intranet dstdomain intra.xzy

  acl ocio dstdomain  .facebook.com .youtube.com

  acl ocio_tempo time MTWHF 12:00-13:10
  acl ocio_tempo time MTWHF 14:00-14:30
  acl ocio_tempo time MTWHF 6:00-8:30

  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access deny manager !localnet !localhost

  # Prevent occio domains outside permitted times
  http_access deny ocio !ocio_tempo

  # Login required unless visiting intranet site(s)
  http_access deny !intranet !peticion_identificacion

  http_access allow localnet

  http_access deny all

  always_direct allow intranet
  never_direct allow all


> 
> 
> ####### cahce padre #################################################
> 
> cache_peer proxy_padre parent 3128 0  proxy-only
> #cache_peer_domain  proxy_padre !intra.xzy


NP: if you want to restore that !intra.xyz behaviour with modern Squid
use this:

 cache_peer_access proxy_padre allow !intranet


> 
> ##### correo cache manager ####
> 
> cache_mgr lmniedas

This should be an admin contact email. The documentation is not very
clear, sorry about that. It will receive reports about proxy crashes (if
the feature is built) and is displayed on error pages as the address to
contact about problems using the proxy.

For Example;

 cachemgr  lmniedas at example.local

or the prettier version:

 cache_mgr Luis Mario Niedas Hernández <lmniedas at example.local>


> cachemgr_passwd ***

I hope that was not your actual password. If it was you now need to
change it.


> #### tamanno de la cache ####################################
> 
> cache_dir aufs /var/spool/squid 20280 16 256
> 
> #### limites para comenzar a limpiar la cache #####################
> 
> cache_swap_low 90
> cache_swap_high 95
> 
> #### tamanno de los objetos en la cache como maximo ####################
> 
> maximum_object_size  15 MB
> 
> ### memoria cache ###########################
> 
> cache_mem 500 MB
> 
> ### idioma de las paginas de error de squid ##########################
> 
> error_directory /usr/share/squid/errors/Spanish

Since Squid-3.2 error pages can automatically be delivered in a language
the person receiving it can read.

To allow that to happen, but with Spanish as the default use this
directive instead of error_directory:

 error_default_language es


FYI, you can also apply branding to the pages display by editing
/etc/squid/errorpages.css


> 
> ##### debug_options cantidad de información en cache_log #################
> 
> debug_options ALL,0 ALL,1 rotate=8760

This directive applies the options configured left-to-right.

The "ALL" setting resets *ALL* debug sections to the level given.

That means you should only use debug section "ALL" once in the whole of
squid.conf and it should be done before any other N,N pairs.

Your config actually means this:

  debug_options ALL,1 rotate=8760


> 
> ######### LOGS #######################################
> 
> cache_log /var/log/squid/cache.log
> access_log stdio:/var/log/squid/access.log  rotate=8760
> cache_store_log stdio:/var/log/squid/store.log

Is there any reason you need this log?
It typically is only useful for debugging and this line could be removed
to speed up your proxy and save disk space.


> 
> ##################
> 
> #AFECTA LA CANTIDAD ESPECIFICAMENTE A STORE.LOG
> 
> logfile_rotate 8760
> 
> #### 365 dias * 24 horas es la cantidad de rotaciones de los logs en el crontab

Does that mean you are running logrotate every hour of every day?

Perhapse there is some better way to do log handling?

Begin with deciding whether you need store.log at all. If that is not
enough and you want assistance with ideas about further improvements
please tell what is the reason why this proxy is rotating to often.


HTH
Amos


More information about the squid-users mailing list