Squid Proxy + CentOS

[xwulfgar]

Hi,

I'm trying to implement Squid proxy (version 2.6) on a CentOS distribution to block (using ACL) http traffic.

The current configuration I have blocks everything .. ?

--

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#ADDED
acl bad_url dstdomain "/etc/squid/bad-sites.squid"

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
http_access deny bad_url

--

bad-sites.squid looks like the following

.playboy.com

--

I have then set the browser to point to the proxy server for http traffic on the associated port (3128).

Any ideas as to why it is blocking everything !?

xwulfgar.

[syd05]

Hi,

Your squid.conf file seems to be missing an entry. You have defined an acl "acl all src 0.0.0.0/0.0.0.0" but nowhere in the file is the acl given httpd access. Add a line to the file (after the http_access deny bad_url line)

Code:

http_access allow all

Or rather create an acl for your network:

Code:

acl mynetwork src 192.168.1.0/24

(substitute the subnet with the one used in your network)
and then

Code:

http_access allow mynetwork

--Syd

[xwulfgar]

Thanks for your reply! Updated ..

Code:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
acl mynet src 10.0.0.0/24

Code:

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
http_access allow mynet
http_access deny bad_url

The subnet is 10.0.0.0/24 .. and the IP address of the test PC is 10.0.0.212. I have set the HTTP proxy to the ip address of the proxy server (running squid), 10.30.0.20.

bad-sites.squid remains the same :-

Code:

.playboy.com

Where previously everything was blocked .. now nothing is blocked, including .playboy.com.. ?

Any ideas ? Thanks!

xwulfgar.

[syd05]

Hi,
The sequence of the http_access rules makes a difference. Change it so that the deny line is listed first and then the allow line

Code:

http_access deny bad_url
http_access allow mynet

Also ensure you have a line for deny all which should be the last access rule defined....

Code:

http_access deny all

--Syd

[xwulfgar]

Thanks heaps for you help syd! Working .

I couldnt find anywhere in the documentation regarding order of precedence .. ah well.



xwulfgar.

[ennoil]

squid will go through your rules until it finds a match. Once it does it stops processing any other rules. It is not a matter of precedence.

Jon

[xwulfgar]

OK. So sequential even ?

xwulfgar.

[ennoil]

Yep...That is how it works...