Squid Proxy + CentOS - Linux Forums

10-25-2009	#1 (permalink)
xwulfgar Just Joined! Join Date: Jan 2007 Posts: 15	Squid Proxy + CentOS Hi, I'm trying to implement Squid proxy (version 2.6) on a CentOS distribution to block (using ACL) http traffic. The current configuration I have blocks everything .. ? -- #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #ADDED acl bad_url dstdomain "/etc/squid/bad-sites.squid" # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed http_access deny bad_url -- bad-sites.squid looks like the following .playboy.com -- I have then set the browser to point to the proxy server for http traffic on the associated port (3128). Any ideas as to why it is blocking everything !? xwulfgar.

10-26-2009	#2 (permalink)
syd05 Just Joined! Join Date: Aug 2009 Location: Mumbai, India Posts: 60	Hi, Your squid.conf file seems to be missing an entry. You have defined an acl "acl all src 0.0.0.0/0.0.0.0" but nowhere in the file is the acl given httpd access. Add a line to the file (after the http_access deny bad_url line) Code: http_access allow all Or rather create an acl for your network: Code: acl mynetwork src 192.168.1.0/24 (substitute the subnet with the one used in your network) and then Code: http_access allow mynetwork --Syd

10-26-2009

#3 (permalink)

xwulfgar

Just Joined!

Join Date: Jan 2007

Posts: 15

Thanks for your reply! Updated ..

Code:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
acl mynet src 10.0.0.0/24

Code:

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
http_access allow mynet
http_access deny bad_url

The subnet is 10.0.0.0/24 .. and the IP address of the test PC is 10.0.0.212. I have set the HTTP proxy to the ip address of the proxy server (running squid), 10.30.0.20.

bad-sites.squid remains the same :-

Code:

.playboy.com

Where previously everything was blocked .. now nothing is blocked, including .playboy.com.. ?

Any ideas ? Thanks!

xwulfgar.

10-26-2009	#4 (permalink)
syd05 Just Joined! Join Date: Aug 2009 Location: Mumbai, India Posts: 60	Hi, The sequence of the http_access rules makes a difference. Change it so that the deny line is listed first and then the allow line Code: http_access deny bad_url http_access allow mynet Also ensure you have a line for deny all which should be the last access rule defined.... Code: http_access deny all --Syd

10-26-2009	#5 (permalink)
xwulfgar Just Joined! Join Date: Jan 2007 Posts: 15	Thanks heaps for you help syd! Working . I couldnt find anywhere in the documentation regarding order of precedence .. ah well. xwulfgar.

10-26-2009	#6 (permalink)
ennoil Just Joined! Join Date: Dec 2006 Posts: 52	squid will go through your rules until it finds a match. Once it does it stops processing any other rules. It is not a matter of precedence. Jon

10-26-2009	#7 (permalink)
xwulfgar Just Joined! Join Date: Jan 2007 Posts: 15	OK. So sequential even ? xwulfgar.

10-27-2009	#8 (permalink)
ennoil Just Joined! Join Date: Dec 2006 Posts: 52	Yep...That is how it works...