[squid-users] Squid and c-icap's srv_url_check module
Amiq Nahas
m992493 at gmail.com
Mon Jun 15 13:55:35 UTC 2020
Hi Guys,
I am trying to use the srv_url_check module to block websites.
I have configured squid with proxy authentication and followed this
wiki: https://sourceforge.net/p/c-icap/wiki/UrlCheckProfiles/
to configure c-icap and srv_url_check. Now, I am having trouble
configuring squid.conf. Below I have shared my configuration of squid.
I suspect that the last svcBlocker line in squid.conf, is the faulty
one, among other possible faults.
Please point out what is it that I am doing wrong.
/etc/squid/squid.conf
-----
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny !authenticated
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20%
2880refresh_pattern . 0 20% 4320
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on
icap_preview_enable on
icap_preview_size 1024
icap_service svcBlocker reqmod_precache
icap://127.0.0.1:1344/srv_url_check bypass=off
-----
Below are c-icap related files in case they are required too.
/usr/local/etc/c-icap.conf
-----
PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads 10
MaxSpareThreads 20
ThreadsPerChild 10
MaxRequestsPerChild 0
Port 1344
[ciphers=ciph1:ciph2...] [tls_options=[!]Opt1|[!]Opt2|...]
ServerAdmin you at your.address
ServerName YourServerName
TmpDir /var/tmp
MaxMemObject 131072
DebugLevel 1
Pipelining on
SupportBuggyClients off
ModulesDir /usr/local/lib/c_icap
ServicesDir /usr/local/lib/c_icap
TemplateDir /usr/local/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /usr/local/etc/c-icap.magic
RemoteProxyUsers on
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
GroupSourceByGroup hash:/usr/local/etc/c-icap-groups.txt
acl all src 0.0.0.0/0.0.0.0
LogFormat myFormat "%a %la %lp %>a %<A %ts %tl %tg %tr %>hi %>ho %huo
%hu %<hi %<ho %Hs %Hso %iu %im %is %>ih %<ih %ipl %Ih %Oh %Ib %Ob %I
%O %bph %un %Sl %Sa"
ServerLog /usr/local/var/log/server.log
AccessLog /usr/local/var/log/access.log myFormat all
Service echo srv_echo.so
Include srv_url_check.conf
-----
/usr/local/etc/c-icap-groups.txt
-----
Users: user1
-----
/usr/local/etc/urls.txt
-----
www.facebook.com/
-----
/usr/local/etc/srv_url_check.conf
-----
%{url_check:action_cat}Sa] [Action: %{url_check:action}Sa]"
Service url_check_module srv_url_check.so
url_check.LookupTableDB urls url hash:/usr/local/etc/urls.txt
url_check.Profile social_media block urls
url_check.Profile default pass ALL
acl facebook group Users
url_check.ProfileAccess social_media facebook
-----
Thanks
Amiq
More information about the squid-users
mailing list