Re: [squid-users] Blocked Domains help :(

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 21 May 2009 12:53:45 +1200 (NZST)

>
> Thanks for the info. I have made the changes and here is my new script.
> Let
> me explain what happens now.
>
> # NETWORK OPTIONS
> http_port 8085
> acl QUERY urlpath_regex cgi-bin \?
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> # OPTIONS WHICH AFFECT THE CACHE SIZE
> cache_mem 32 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size 4096 KB
>
> # LOGFILE PATHNAMES AND CACHE DIRECTORIES
> cache_dir ufs c:/squid/var/cache 1000 16 256
> access_log c:/squid/var/logs/access.log squid
> cache_log c:/squid/var/logs/cache.log
> #cache_store_log c:/squid/var/logs/store.log
> debug_options ALL,1
>
> # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
> allow_underscore on
> dns_nameservers 192.168.2.3 192.168.2.1
> #auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
> #auth_param ntlm children 5
> auth_param negotiate program c:/squid/libexec/mswin_negotiate_auth.exe
> auth_param negotiate children 5
> #auth_param basic program c:/squid/libexec/mswin_auth.exe
> external_acl_type NT_global_group %LOGIN
> c:/squid/libexec/mswin_check_lm_group.exe -G -c
>
> # ACCESS CONTROL LISTS
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl SSL_ports port 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 87 # http required for Telstra Statistics website
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl our_networks src 192.168.0.0/16
> acl NoAuthDomains dstdomain "c:/squid/etc/domains/NoAuthDomains.txt"
> acl proxycustom2 external NT_global_group proxycustom2
> acl proxycustom1 external NT_global_group proxycustom1
> acl proxyfullaccess external NT_global_group proxyfullaccess
> acl password proxy_auth REQUIRED
> acl custom2domains dstdomain "c:/squid/etc/domains/custom2domains.txt"
> acl custom1domains dstdomain "c:/squid/etc/domains/custom1domains.txt"
> acl DeniedDomains dstdomain "c:/squid/etc/domains/DeniedDomains.txt"
> acl CONNECT method CONNECT
> acl FTP proto FTP
> always_direct allow FTP
>
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access deny !our_networks
>
> http_access allow safe_ports NoAuthDomains
> http_access allow safe_ports proxycustom2 custom2domains password
> http_access allow safe_ports proxycustom1 custom1domains password
> http_access allow password proxyfullaccess
> http_access allow safe_ports !DeniedDomains password
> http_access deny all
>
> # MISCELLANEOUS
> logfile_rotate 10
> error_directory c:/squid/share/errors/English
>
> So the noauthdomains works. websites that used to not work now work in
> that
> domain list
> the proxyfullaccess group works. i added 2 users and they can access
> domains
> in the denieddomains group
>
> now i have added 2 more custom groups. these 2 groups both have a
> customdomains txt file associated. The txt file has a couple of domains
> that
> have been blocked in the denied domains list which I need to give them
> access to.
>
> but for some reason i have added the users to this group... restarted
> everything but they still get access denied when trying to go to those
> domains.
>
> have i made any mistakes in the config? do the acl's need to be in a
> particular order or is it just the http_access that need to be?
>
> Thanks in advance for your help :)
>

I can't see why it would not work. The ACL flow looks correct.
I think you will need to raise 'debug_options ALL,1 29,6 28,6" and see
whats doing the denial.

personally i;d rearrange the ACL a little to show whats happening a bit
better:

 http_access deny !Safe_ports
 ...
 http_access allow NoAuthDomains
 http_access deny !password
 http_access allow proxycustom2 custom2domains
 http_access allow proxycustom1 custom1domains
 http_access allow proxyfullaccess
 http_access allow !DeniedDomains

Amos
Received on Thu May 21 2009 - 01:00:15 MDT

This archive was generated by hypermail 2.2.0 : Mon May 25 2009 - 12:00:01 MDT