Re: [squid-users] Re: using squid with dnsmasq and hosts file

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 18 Jul 2008 19:10:12 +1200

Troy Piggins wrote:
> * Amos Jeffries wrote :
>> Troy Piggins wrote:
>>> * Amos Jeffries wrote :
>>>> Troy Piggins wrote:
>>>>> Not sure if this is a squid or dnsmasq problem, so hope you don't
>>>>> mind me asking same question in 2 lists.
>>>>>
>>>>> I'm using squid3 as a transparent proxy by redirecting port 80
>>>>> in iptables, and dnsmasq as well. This all works fine. But now
>>>>> I'm trying to utilise the mvps hosts file to block malicious
>>>>> URLs and am having trouble getting squid to recognise this hosts
>>>>> file.
>>> <snip />
>>>>> But from a browser if I try to view a website listed in the mvps
>>>>> hosts file, I don't get the blocked site message page, I get the
>>>>> real (malicious) one.
>>>>>
>>>>> IIUC squid should be reading /etc/resolv.conf for DNS? Mine is
>>>>>
>>>>> nameserver 127.0.0.1
>>>>> search isp.invalid
>>>>>
>>>>> And so if it's using localhost and DNS, that's dnsmasq and the
>>>>> mvps hosts file should come into play.
>>>>>
>>>>> What am I missing?
>>>> Squid only loads the /etc/resolv.conf and /etc/hosts files. No other
>>>> special ones.
>>> Understood, but I was assuming that since my /etc/resolv.conf
>>> points to localhost as a nameserver and that nameserver uses the
>>> mvps hosts file those entries would be used. Hmm...
>> Ah, yes that should work also. IFF its the only nameserver.
>
> If there's another nameserver after localhost, how does squid
> behave? Take the first or last nameserver entry?
>

First to respond without failure. It starts with the order you give it
and works through them until one succeeds or all have failed.

The fact squid is resolving the site, means either your localhost
resolver is failing, or at least not resolving the domain to the fake IP.

> nameserver 127.0.0.1
> nameserver www.xxx.yyy.zzz
> search isp.invalid
>
>>>>> As an alternative, I've seen reference to using mvps entries
>>>>> somehow in squid.conf acls or rules, but haven't found a good
>>>>> explanation of /how/ to do this or examples. Any pointers there
>>>>> if that's the better way to go?
>>>> From the Squid point of view...
>>>>
>>>> Probably a custom external ACL processor. If the mvps format is
>>>> simple it should be relatively easy to construct.
>>> The mvps hosts file looks exactly like /etc/hosts file format.
>> K. In that case the squid.conf option hosts_file should be usable for
>> squid without even needing the localhost resolver
>> http://www.squid-cache.org/Versions/v3/3.0/cfgman/hosts_file.html
>
> Way I read that was if there's only one /etc/hosts file. I have
> a few. The basic /etc/hosts, them supplementary ones like the
> mvps hosts file saved as /etc/hosts.mvps . The entries in that
> get read into dnsmasq by a configuration parameter that points to
> supplementary hosts files.

Yeah, you can only set one for read at present.

>
> May be easier to compile all into one hosts file. I'll consider
> that.
>
>>>> The simplest way though, is to use a plain dstdomain ACL, possibly
>>>> with the entries in a file for easy management.
>>>>
>>>> You then use the custom ACL helper, http_access, and deny_info URL to
>>>> provide the custom denial webpage for visitors.
>>>>
>>>> http://www.squid-cache.org/Versions/v3/3.0/cfgman/external_acl_type.html
>>>> http://www.squid-cache.org/Versions/v3/3.0/cfgman/http_access.html
>>>> http://www.squid-cache.org/Versions/v3/3.0/cfgman/deny_info.html
>>> Thankyou for those links. I'll look into it.
>
> Thanks again.
>

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Fri Jul 18 2008 - 07:10:05 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 18 2008 - 12:00:04 MDT