cosmo kramer wrote:
> Hello,
>
> I am having a problem with Squid allowing some
> websites that are not
> in any of our allow list. For example, I can get to
> Nike.com, but there
> is no such entry in any of my allow lists (not only
> Nike.com, but
> approximately 15-25% of websites I try that are not on
> either of the
> allow
> lists). I have looked around the FAQ and Googled the
> problem, but have
> yet to find something similar.
>
> Here are some specs/code:
>
> ##########################
> # squid.conf #
> ##########################
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> ## acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> ## acl Safe_ports port 70 # gopher
> ## acl Safe_ports port 210 # wais
> ## acl Safe_ports port 1025-65535 # unregistered
> ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> ## acl Safe_ports port 591 # filemaker
> ## acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> acl localnet proxy_auth REQUIRED src
> xxx.xxx.xxx.xxx/16
> acl proxy_a_users external win_domain_group
> group_proxy_a
>
I don't see the external_acl_type definition here, but we'll go under
the assumption that you have it set up correctly. That could prove to
be unwise...
> acl proxy_a_sites dstdom_regex [-i]
> "c:/squid/lists/proxy_a_sites.txt"
>
I'd suggest you start by changing this ACL to one using dstdomain. The
"regular expressions" you are using are far too vague and regular
expressions should really be used sparingly. This SHOULDN'T be causing
the problem you describe, but it's just good practice.
> acl proxy_b_users external win_domain_group
> group_proxy_b
> acl proxy_b_sites dstdom_regex [-i]
> "c:/squid/lists/proxy_b_sites.txt"
>
> http_access allow proxy_a_users proxy_a_sites
> http_access allow proxy_b_users proxy_b_sites
> http_access deny all
>
Is this ALL of your http_access lines? What you have shown does not
explain the results you are getting.
>
>
> ###############################
> # proxy_a_sites.txt #
> ###############################
>
> .yahoo.com
> .lycos.com
> .google.com
> .altavista.com
> .ask.com
>
>
Are these exhaustive lists? Perhaps there is some expression that
matches .nike.com (given that the periods are single point wild cards).
Again, using dstdomain ACLs would alleviate that possibility.
>
> ###############################
> # proxy_b_sites.txt #
> ###############################
>
> .toyota.com
> .honda.com
> .nissan.com
> .gm.com
> .chevy.com
> .ford.com
>
>
> ###############################
> # snippet from access.log #
> ###############################
>
> 1172074611.894 172 xxx.xxx.xxx.xxx TCP_MISS/200
> 5422 GET
> http://www.nike.com/renov/common/js/utils.js;bsessionid=JCVEUIMR31NY0CQFTC2CF4YKAWMLSIZB
>
> DOMAIN\username DIRECT/72.246.72.212
> application/x-javascript
> 1172074612.081 0 xxx.xxx.xxx.xxx TCP_DENIED/407
> 1836 GET
> http://www.nike.com/renov/common/js/utils.js - NONE/-
> text/html
>
>
SNIP
>
> Running Squid 2.6STABLE9 on a M$ box (long story).
> The users appear
> to authenticate correctly, and in a very limited way
> Squid is
> functioning. After reading, I cannot find a similar
> case where Squid is
> allowing
> things that don't exist in a allow list, and with this
> small of a test
> ACL list/user group, I don't think it is an ACL
> problem or confliction.
>
> Any ideas or help would be greatly appreciated.
> Thanks.
>
>
>
>
> ____________________________________________________________________________________
> No need to miss a message. Get email on-the-go
> with Yahoo! Mail for Mobile. Get started.
> http://mobile.yahoo.com/mail
>
Received on Mon Mar 05 2007 - 16:54:32 MST
This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:01 MDT