[squid-users] ACL-by time- not working. Help!
Luis Mario Niedas Hernández
lmniedas at gmail.com
Fri Aug 28 15:50:38 UTC 2020
El vie., 28 de ago. de 2020 a la(s) 00:03, Amos Jeffries
(squid3 at treenet.co.nz) escribió:
>
> On 28/08/20 3:40 am, Luis Mario Niedas Hernández wrote:
> > Hello. I need restrict some site by time, but i am not doing well.
> > This is my squid.conf. Please help me to fix the problem. I don't know
> > why it is not working.
> >
>
> It is not clear what your problem actually is.
Well. My problem is that i had to block facebook and youtube but i
did not how to do it. Your correction works fine. Thanks for
explaining me some stuff. I appreciate that.
>
> An educated guess tells me that you have missed two important details:
>
> 1) your http_access lines are just a long list of allow, allow, allow.
> Squid has no reason to deny.
jajajaja Honestly, I don't understand how squid work. I mean, I don't
know what it is the logic to follow with the acl directives and
http_access allow | deny. I am learning about it. If you can recommend
me a book or a place to look for learning about how to build
adequately my rules in squid. I need it. i don't want copy and paste
acl from some plate and put it in my config, I really want to know how
I have to think. LEARN
>
> To resolve this you need to write out your policy(s) in the form of
> denials. Allowing only the good traffic that remains.
>
I guess that when we put this:
http_access deny all.
we are telling squid that everything that has not a http_access allow,
it is blocked. So, why I have to put http_access deny
!peticion_identificacion, instead http_access allow
peticion_identificacion ?
> For best performance sort the lines by ACL checking speed and how much
> traffic they can drop. The faster it can identify and deny bad traffic
> the more speed can go towards the good traffic.
>
> 2) those FB and YT websites use HTTPS and http_access controls only
> apply when an HTTPS connection is established. The TLS connection itself
> may remain open and continue to be used indefinitely.
>
> You can use the client_lifetime directive to shorten the time CONNECT
> tunnels are allowed to remain in use. For your specific case I would set
> it to something like 5 minutes. Browsers can auto-recover so this length
> should not be visible to clients, but you will want to test that to
> confirm what is good for your needs.
>
>
> There are several other things about your config file that indicate
> extremely outdated practices or Squid version. Below is a free audit
> report of things that need fixing.
>
>
> If you are running a Squid older than 3.5 please update ASAP. Then apply
> the changes below.
I am running squid 4.6.
>
> If you are running a Squid v3.5 or newer then you can fix these issues
> now with just a check to confirm the change is okay.
>
>
> >
> > ### autenticacion de los usuarios (http
> > básica)############################################
> > auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/usuarios_inet
> > auth_param basic realm Introduzca su usuario para navegar por la WEB.
> >
> > ### por donde responde el squid ###
> > ####################################################
> >
> > http_port 192.168.1.3:3128
> > http_port 127.0.0.1:3128
>
> Are there other IPs assigned to the machine Squid is running on which
> you definitely don't want offering proxy service?
Yes, my machine has two different interfaces with different ranges
and I want to offer squid service only for one. ;-)
>
> If no, then you can replace both those with this line:
> http_port 3128
>
> If yes, then you should replace just the second one with:
> http_port localhost:3128
>
>
> >
> > ########## ACL ###########################################################################
> > #
> > # Recommended minimum configuration:
> >
>
> You are missing the very critical port safety checks. These are to
> prevent your proxy being DoS'ed or uses as an attack vector against
> other software in your LAN.
>
> At worst, you may need to "open" some specific ports by adding them to
> the Safe_ports and/or SSL_ports ACL definitions. But generally this is
> not necessary, and should only be done after investigating carefully
> what that port is used for, including things *other* than the reason you
> are asked to open it.
>
>
> > acl all src all
>
> Since Squid-3.1 the "all "ACL has been built into Squid. You can remove
> this line, it does nothing.
>
>
> > acl localhost src 127.0.0.1/32
>
> On all modern machines localhost include the ::1/128 address. Even when
> the machine is IPv4-only connectivity to the network. Localhost is about
> connections within the machine itself and IPv4-only OS no longer exist.
>
>
> > acl localnet src 192.168.1.0/24
>
> No LAN IPv6 ranges? that is something everyone should be planning for a
> decade ago.
I don't need IPv6. It is a small office.
>
>
> > acl manager_proto_cache proto cache_object
>
> Since Squid-3.2 the "manager" ACL has been built into Squid. There are
> feature changes to the management URLs that need to be controlled by it
> and the built-in definition handles those.
>
> Please remove the above ACL line and convert anything that used it to
> use the ACL named "manager" instead.
>
>
> > acl peticion_identificacion proxy_auth REQUIRED
> > acl intranet dstdomain intra.xzy
> >
> > acl ocio dstdomain .facebook.com .youtube.com
> >
> > acl ocio_medio_dia time MTWHF 12:00-13:10
> > acl ocio_tarde time MTWHF 14:00-14:30
> > acl ocio_mannana time MTWHF 6:00-8:30
> >
> > http_access allow localnet manager_proto_cache
> > http_access allow localhost manager_proto_cache
> > http_access deny manager_proto_cache
>
> > http_access allow ocio ocio_tarde
> > http_access allow ocio ocio_medio_dia
> > http_access allow ocio ocio_mannana
>
> Do you really want your proxy to be allowing anyone anywhere in the
> world to access those websites through your proxy?
>
> I think these "ocio" lines should look like:
>
> http_access deny ocio !ocio_tarde !ocio_medio_dia !ocio_mannana
>
> Or, you can combine the time periods into one ACL check for better speed
> and understanding:
>
> acl ocio_tempo time MTWHF 12:00-13:10
> acl ocio_tempo time MTWHF 14:00-14:30
> acl ocio_tempo time MTWHF 6:00-8:30
>
> http_access deny ocio !ocio_tempo
Thanks for this recommendation. I did not know how to do it fine.
>
> >
> > http_access allow intranet
>
> I am guessing here. But I think this means you do not want to require
> login to access the intranet website.
jajaja No, here i wanted to say: Squid you should allow the connection
to intranet, but with authentication. I thought that we only had to
request authentication only one time and squid will know that every
http request made for the same user will be checked again the rest
of ACL. :-( I am configuring my squid blink, i meant, i read and test
what happens, but it is a little hard. It is the reason that I wrote
to the squid-user list.
>
>
> > http_access allow localnet peticion_identificacion
>
> For more reliable authentication this should be:
>
> http_access deny !peticion_identificacion
> http_access allow localnet
>
> Or, assuming the above about intranet:
>
> http_access deny !intranet !peticion_identificacion
> http_access allow localnet
>
> >
> > always_direct allow intranet
> > http_access deny all
> > never_direct allow all
> >
>
> In summary, I think this access control section should look like the
> below lines:
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> acl localhost src 127.0.0.1/32 ::1/128
> acl localnet src 192.168.1.0/24
>
> acl peticion_identificacion proxy_auth REQUIRED
> acl intranet dstdomain intra.xzy
>
> acl ocio dstdomain .facebook.com .youtube.com
>
> acl ocio_tempo time MTWHF 12:00-13:10
> acl ocio_tempo time MTWHF 14:00-14:30
> acl ocio_tempo time MTWHF 6:00-8:30
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny manager !localnet !localhost
>
> # Prevent occio domains outside permitted times
> http_access deny ocio !ocio_tempo
>
> # Login required unless visiting intranet site(s)
> http_access deny !intranet !peticion_identificacion
>
> http_access allow localnet
>
> http_access deny all
>
> always_direct allow intranet
> never_direct allow all
>
>
> >
> >
> > ####### cahce padre #################################################
> >
> > cache_peer proxy_padre parent 3128 0 proxy-only
> > #cache_peer_domain proxy_padre !intra.xzy
>
>
> NP: if you want to restore that !intra.xyz behaviour with modern Squid
> use this:
>
> cache_peer_access proxy_padre allow !intranet
>
>
> >
> > ##### correo cache manager ####
> >
> > cache_mgr lmniedas
>
> This should be an admin contact email. The documentation is not very
> clear, sorry about that. It will receive reports about proxy crashes (if
> the feature is built) and is displayed on error pages as the address to
> contact about problems using the proxy.
>
> For Example;
>
> cachemgr lmniedas at example.local
>
> or the prettier version:
>
> cache_mgr Luis Mario Niedas Hernández <lmniedas at example.local>
>
>
> > cachemgr_passwd ***
>
> I hope that was not your actual password. If it was you now need to
> change it.
>
jajajaja i changed the information, just to not compromise my security
or at least just to not show all the real information about my
network. ;-)
>
> > #### tamanno de la cache ####################################
> >
> > cache_dir aufs /var/spool/squid 20280 16 256
> >
> > #### limites para comenzar a limpiar la cache #####################
> >
> > cache_swap_low 90
> > cache_swap_high 95
> >
> > #### tamanno de los objetos en la cache como maximo ####################
> >
> > maximum_object_size 15 MB
> >
> > ### memoria cache ###########################
> >
> > cache_mem 500 MB
> >
> > ### idioma de las paginas de error de squid ##########################
> >
> > error_directory /usr/share/squid/errors/Spanish
>
> Since Squid-3.2 error pages can automatically be delivered in a language
> the person receiving it can read.
>
> To allow that to happen, but with Spanish as the default use this
> directive instead of error_directory:
>
> error_default_language es
>
I didn't know this. thanks again.
> FYI, you can also apply branding to the pages display by editing
> /etc/squid/errorpages.css
>
>
> >
> > ##### debug_options cantidad de información en cache_log #################
> >
> > debug_options ALL,0 ALL,1 rotate=8760
>
> This directive applies the options configured left-to-right.
>
> The "ALL" setting resets *ALL* debug sections to the level given.
>
> That means you should only use debug section "ALL" once in the whole of
> squid.conf and it should be done before any other N,N pairs.
>
> Your config actually means this:
>
> debug_options ALL,1 rotate=8760
>
>
> >
> > ######### LOGS #######################################
> >
> > cache_log /var/log/squid/cache.log
> > access_log stdio:/var/log/squid/access.log rotate=8760
> > cache_store_log stdio:/var/log/squid/store.log
>
> Is there any reason you need this log?
> It typically is only useful for debugging and this line could be removed
> to speed up your proxy and save disk space.
My boss told me that I must save all my logs, just to check later
what the people are doing and where they are surfing on the internet.
>
> >
> > ##################
> >
> > #AFECTA LA CANTIDAD ESPECIFICAMENTE A STORE.LOG
> >
> > logfile_rotate 8760
> >
> > #### 365 dias * 24 horas es la cantidad de rotaciones de los logs en el crontab
>
> Does that mean you are running logrotate every hour of every day?
>
Yes, I am rotating every one hours all squid's logs. Honestly, because
i thought that it is the more easy way to make analytics work. What
you can recommend me??
> Perhapse there is some better way to do log handling?
>
> Begin with deciding whether you need store.log at all. If that is not
> enough and you want assistance with ideas about further improvements
> please tell what is the reason why this proxy is rotating to often.
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
--
"El futuro tiene muchos nombres. Para los débiles es lo inalcanzable.
Para los temerosos, lo desconocido. Para los valientes es la
oportunidad"
Victor Hugo
More information about the squid-users
mailing list