Re: [squid-users] using squid with dnsmasq and hosts file

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 18 Jul 2008 13:55:39 +1200

Troy Piggins wrote:
> Not sure if this is a squid or dnsmasq problem, so hope you don't
> mind me asking same question in 2 lists.
>
> I'm using squid3 as a transparent proxy by redirecting port 80
> in iptables, and dnsmasq as well. This all works fine. But now
> I'm trying to utilise the mvps hosts file to block malicious
> URLs and am having trouble getting squid to recognise this hosts
> file.
>
> On a previous installation I had the mvps hosts file saved as
> /etc/hosts.mvps and set up dnsmasq to read this file as an
> additional hosts file. I changed the IP addresses in the mvps
> hosts file from 127.0.0.1 to 192.168.0.100 and set up a virtual
> IP address and web page so that if a browser on the network
> wanted to connect to a URL that was in the hosts file, the user
> would get a locally served page saying "sorry, malicious site
> blocked" or something like that. I thought that was all pretty
> cool.
>
> So now I have the same setup, but have installed squid as this
> transparent proxy. It is all working fine... except that squid
> seems to be bypassing the /etc/hosts.mvps file.
> So normal pages are viewed fine.
> And if I ping one of the mvps hosts from the commandline it
> correctly returns the IP address 192.168.0.100.
> And if I put the URL 192.168.0.100 in a browser I get the correct
> blocked site message.
> But from a browser if I try to view a website listed in the mvps
> hosts file, I don't get the blocked site message page, I get the
> real (malicious) one.
>
> IIUC squid should be reading /etc/resolv.conf for DNS? Mine is
>
> nameserver 127.0.0.1
> search isp.invalid
>
> And so if it's using localhost and DNS, that's dnsmasq and the
> mvps hosts file should come into play.
>
> What am I missing?

Squid only loads the /etc/resolv.conf and /etc/hosts files. No other
special ones.

>
> As an alternative, I've seen reference to using mvps entries
> somehow in squid.conf acls or rules, but haven't found a good
> explanation of /how/ to do this or examples. Any pointers there
> if that's the better way to go?

 From the Squid point of view...

Probably a custom external ACL processor. If the mvps format is simple
it should be relatively easy to construct.

The simplest way though, is to use a plain dstdomain ACL, possibly with
the entries in a file for easy management.

You then use the custom ACL helper, http_access, and deny_info URL to
provide the custom denial webpage for visitors.

http://www.squid-cache.org/Versions/v3/3.0/cfgman/external_acl_type.html
http://www.squid-cache.org/Versions/v3/3.0/cfgman/http_access.html
http://www.squid-cache.org/Versions/v3/3.0/cfgman/deny_info.html

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Fri Jul 18 2008 - 01:55:31 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 18 2008 - 12:00:04 MDT