Re: [squid-users] ACL configuration

From: Никоноров Григорий <grigoryn_at_comita.ru>
Date: Tue, 20 Apr 2010 10:43:26 +0400

Hello Amos !

Thank for your replay, i solve the problem.
It was necessary to remove 2 lines permissive all authorized users
All work fine, thanks

Вы писали 19 апреля 2010 г., 18:01:00:
> Никоноров Григорий wrote:
>> Hello, Amos
>>
>> I install the latest version of squid3 from backports (unfortunately
>> i cant find my problem in squid3 bugs ...)
>> dpkg --list |grep squid3
>> ii squid3 3.0.STABLE19-1~bpo50+1 A full featured Web Proxy cache (HTTP proxy)
>> ii squid3-common 3.0.STABLE19-1~bpo50+1 A full featured Web Proxy cache (HTTP proxy) - common files
>>
>> I also delete two lines about QUERY...
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>>
>> ...and modified my refresh_patters accordingly your advice
>> refresh_pattern \.doc$ 0 20% 4320
>> refresh_pattern \.zip$ 0 20% 4320
>> refresh_pattern \.exe$ 0 20% 4320
>> refresh_pattern \.rar$ 0 20% 4320
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>>
>> I upload my squid.conf for "easy to read" purpose in pastebay.com
>> http://pastebay.com/94291 (no virus guys...only my squid.conf :)
>>
>> p.s. regex replacement on dstdomain not helped
>>
>> You wrote 19 апреля 2010 г., 13:47:21:
>>> Никоноров Григорий wrote:
>>>> Hi,
>>>>
>>>> After the upgrade from 2.7 to 3.0.STABLE8-3 + lenny3 squid stop block
>>>> prohibited sites.
>>
>>> IMO grab the official backport package from
>>> http://www.backports.org/debian/pool/main/s/squid3/ if you can.
>>
>>>> My Squid3 conf:
>>>> acl ADMIN proxy_auth "/etc/squid3/users/users.admin"
>>>> acl bad_site url_regex -i "/etc/squid3/bad_site.acl"
>>>>
>>>> bad_site.acl:
>>>> vkontakte\.ru
>>>> odnoklassniki\.ru
>>>> pagewash\.com
>>>> vk\.com
>>
>>> Hmm. Regardless of your squid version those are far better off being
>>> configured as a "dstdomain" ACL type. Regex is Slooooowww.
>>
>>> acl bad_site dstdomain "/etc/squid3/bad_site.acl"
>>
>>> bad_site.acl:
>>> .vkontakte.ru
>>> .odnoklassniki.ru
>>> .pagewash.com
>>> .vk.com
>>
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access allow ADMIN !bad_site
>>>> acl QUERY urlpath_regex cgi-bin \?
>>>> no_cache deny QUERY
>>
>>> The above two lines about QUERY are no longer very useful.
>>
>>> Remove them and make sure your *final* two refresh_patterns lines match
>>> the new defaults for squid-3.x:
>>
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>
>>
>>>> http_access deny all
>>>>
>>>>
>>>> 192.168.164.111 - user from group ADMIN
>>>>
>>>> Access log:
>>>> 1271418317.455 103 192.168.164.111 TCP_MISS/302 494 GET http://vkontakte.ru/id000000 user DIRECT/93.186.231.220 text/html
>>>> 1271418317.536 71 192.168.164.111 TCP_MISS/200 3767 GET http://vkontakte.ru/login.php? user DIRECT/93.186.231.220 text/html
>>>> 1271418317.665 5 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/xhead2.gif user DIRECT/93.186.231.220 -
>>>> 1271418317.669 9 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/header_yellow.gif user DIRECT/93.186.231.222 -
>>>> 1271418317.674 15 192.168.164.111 TCP_MISS/304 347 GET http://vkontakte.ru/images/header_divider.gif user DIRECT/93.186.231.221 -
>>>> 1271418317.690 35 192.168.164.111 TCP_MISS/304 483 GET http://www.tns-counter.ru/V13a***R>*vkontakte_ru/ru/CP1251/tmsec=vkontakte_total/ user DIRECT/217.73.200.219 -
>>>> 1271418317.714 55 192.168.164.111 TCP_MISS/200 386 GET http://counter.yadro.ru/hit? user DIRECT/88.212.196.77 image/gif
>>>> 1271418321.434 82 192.168.164.111 TCP_MISS/200 5360 GET http://vk.com/ user DIRECT/93.186.231.221 text/html
>>>> 1271418321.476 124 192.168.164.111 TCP_MISS/200 719 GET http://sitecheck2.opera.com/? user DIRECT/91.203.99.45 text/xml
>>>> 1271418322.588 34 192.168.164.111 TCP_MISS/304 483 GET http://www.tns-counter.ru/V13a***R>*vkontakte_ru/ru/CP1251/tmsec=vkontakte_total/ user DIRECT/217.73.200.220 -
>>>> 1271418322.608 54 192.168.164.111 TCP_MISS/200 386 GET http://counter.yadro.ru/hit? user DIRECT/88.212.196.101 image/gif
>>>> 1271418324.221 1670 192.168.164.111 TCP_MISS/200 6368 CONNECT certs.opera.com:443 user DIRECT/91.203.99.57 -
>>>> 1271418324.358 69 192.168.164.111 TCP_MISS/200 738 GET http://login.vk.com/? user DIRECT/93.186.229.129 text/html
>>>> 1271418324.433 56 192.168.164.111 TCP_MISS/200 617 POST http://vk.com/login.php? user DIRECT/93.186.231.222 text/html
>>>>
>>
>>
>>> I can't see any reason why those requests might go through. Is there any
>>> additional http_access configuration anywhere?
>>
>>> If not, try with the backports package and see if it goes away.
>>
>>> Amos
>>

> Wading through that config I find the very first http_access:

> acl ncsa_users proxy_auth REQUIRED
> http_access allow ncsa_users

> ... any user with a valid login has unlimited access through your server.

> The http_access rules following that line apply only to non-logged in
> users.

> Amos

-- 
С уважением,
Никоноров Григорий
Системный администратор
ЗАО "Комита"
icq 419950912
Тел. 295
 
Received on Tue Apr 20 2010 - 06:43:34 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 20 2010 - 12:00:05 MDT