Find the answer to your Linux question:
Results 1 to 8 of 8
Hi, I'm trying to implement Squid proxy (version 2.6) on a CentOS distribution to block (using ACL) http traffic. The current configuration I have blocks everything .. ? -- #Recommended ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2007
    Posts
    15

    Squid Proxy + CentOS


    Hi,

    I'm trying to implement Squid proxy (version 2.6) on a CentOS distribution to block (using ACL) http traffic.

    The current configuration I have blocks everything .. ?

    --

    #Recommended minimum configuration:
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    #ADDED
    acl bad_url dstdomain "/etc/squid/bad-sites.squid"

    # Example rule allowing access from your local networks. Adapt
    # to list your (internal) IP networks from where browsing should
    # be allowed
    http_access deny bad_url

    --

    bad-sites.squid looks like the following

    .playboy.com

    --

    I have then set the browser to point to the proxy server for http traffic on the associated port (3128).

    Any ideas as to why it is blocking everything !?

    xwulfgar.

  2. #2
    Linux Newbie
    Join Date
    Aug 2009
    Location
    Mumbai, India
    Posts
    113
    Hi,

    Your squid.conf file seems to be missing an entry. You have defined an acl "acl all src 0.0.0.0/0.0.0.0" but nowhere in the file is the acl given httpd access. Add a line to the file (after the http_access deny bad_url line)
    Code:
    http_access allow all
    Or rather create an acl for your network:
    Code:
    acl mynetwork src 192.168.1.0/24
    (substitute the subnet with the one used in your network)
    and then
    Code:
    http_access allow mynetwork
    --Syd

  3. #3
    Just Joined!
    Join Date
    Jan 2007
    Posts
    15
    Thanks for your reply! Updated ..

    Code:
    #Recommended minimum configuration:
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    acl bad_url dstdomain "/etc/squid/bad-sites.squid"
    acl mynet src 10.0.0.0/24
    Code:
    #Recommended minimum configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager
    # Deny requests to unknown ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than SSL ports
    http_access deny CONNECT !SSL_ports
    #
    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on "localhost" is a local user
    #http_access deny to_localhost
    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    
    # Example rule allowing access from your local networks. Adapt
    # to list your (internal) IP networks from where browsing should
    # be allowed
    http_access allow mynet
    http_access deny bad_url
    The subnet is 10.0.0.0/24 .. and the IP address of the test PC is 10.0.0.212. I have set the HTTP proxy to the ip address of the proxy server (running squid), 10.30.0.20.

    bad-sites.squid remains the same :-

    Code:
    .playboy.com
    Where previously everything was blocked .. now nothing is blocked, including .playboy.com.. ?

    Any ideas ? Thanks!

    xwulfgar.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie
    Join Date
    Aug 2009
    Location
    Mumbai, India
    Posts
    113
    Hi,
    The sequence of the http_access rules makes a difference. Change it so that the deny line is listed first and then the allow line

    Code:
    http_access deny bad_url
    http_access allow mynet
    Also ensure you have a line for deny all which should be the last access rule defined....
    Code:
    http_access deny all
    --Syd

  6. #5
    Just Joined!
    Join Date
    Jan 2007
    Posts
    15
    Thanks heaps for you help syd! Working .

    I couldnt find anywhere in the documentation regarding order of precedence .. ah well.



    xwulfgar.

  7. #6
    Just Joined!
    Join Date
    Dec 2006
    Posts
    52
    squid will go through your rules until it finds a match. Once it does it stops processing any other rules. It is not a matter of precedence.

    Jon

  8. #7
    Just Joined!
    Join Date
    Jan 2007
    Posts
    15
    OK. So sequential even ?

    xwulfgar.

  9. #8
    Just Joined!
    Join Date
    Dec 2006
    Posts
    52
    Yep...That is how it works...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •