Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Write an article for LinuxForums Today! Win Great Prizes!
Find the answer to your Linux question:
New to Linux Forums? Register here for free!
    Linux Forums > GNU Linux Zone > Servers > Squid Proxy + CentOS

Forgot Password?
 Servers   Anything server related, Apache, MySQL, Samba, server security, sendmail, exim, etc

Site Navigation
Linux Articles
Linux Forums
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Linux Forum Topics
Linux Forums
Your Distro
Linux Resources
GNU Linux Zone
The Community
Reply
 
Thread Tools Display Modes
Old 10-25-2009   #1 (permalink)
Just Joined!
 
Join Date: Jan 2007
Posts: 15
Squid Proxy + CentOS

Hi,

I'm trying to implement Squid proxy (version 2.6) on a CentOS distribution to block (using ACL) http traffic.

The current configuration I have blocks everything .. ?

--

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#ADDED
acl bad_url dstdomain "/etc/squid/bad-sites.squid"

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
http_access deny bad_url

--

bad-sites.squid looks like the following

.playboy.com

--

I have then set the browser to point to the proxy server for http traffic on the associated port (3128).

Any ideas as to why it is blocking everything !?

xwulfgar.
xwulfgar is offline  



Reply With Quote
Old 10-26-2009   #2 (permalink)
Just Joined!
 
Join Date: Aug 2009
Location: Mumbai, India
Posts: 60
Hi,

Your squid.conf file seems to be missing an entry. You have defined an acl "acl all src 0.0.0.0/0.0.0.0" but nowhere in the file is the acl given httpd access. Add a line to the file (after the http_access deny bad_url line)
Code:
http_access allow all
Or rather create an acl for your network:
Code:
acl mynetwork src 192.168.1.0/24
(substitute the subnet with the one used in your network)
and then
Code:
http_access allow mynetwork
--Syd
syd05 is offline   Reply With Quote
Old 10-26-2009   #3 (permalink)
Just Joined!
 
Join Date: Jan 2007
Posts: 15
Thanks for your reply! Updated ..

Code:
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl bad_url dstdomain "/etc/squid/bad-sites.squid"
acl mynet src 10.0.0.0/24
Code:
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
http_access allow mynet
http_access deny bad_url
The subnet is 10.0.0.0/24 .. and the IP address of the test PC is 10.0.0.212. I have set the HTTP proxy to the ip address of the proxy server (running squid), 10.30.0.20.

bad-sites.squid remains the same :-

Code:
.playboy.com
Where previously everything was blocked .. now nothing is blocked, including .playboy.com.. ?

Any ideas ? Thanks!

xwulfgar.
xwulfgar is offline   Reply With Quote
Old 10-26-2009   #4 (permalink)
Just Joined!
 
Join Date: Aug 2009
Location: Mumbai, India
Posts: 60
Hi,
The sequence of the http_access rules makes a difference. Change it so that the deny line is listed first and then the allow line

Code:
http_access deny bad_url
http_access allow mynet
Also ensure you have a line for deny all which should be the last access rule defined....
Code:
http_access deny all
--Syd
syd05 is offline   Reply With Quote
Old 10-26-2009   #5 (permalink)
Just Joined!
 
Join Date: Jan 2007
Posts: 15
Thanks heaps for you help syd! Working .

I couldnt find anywhere in the documentation regarding order of precedence .. ah well.



xwulfgar.
xwulfgar is offline   Reply With Quote
Old 10-26-2009   #6 (permalink)
Just Joined!
 
Join Date: Dec 2006
Posts: 52
squid will go through your rules until it finds a match. Once it does it stops processing any other rules. It is not a matter of precedence.

Jon
ennoil is offline   Reply With Quote
Old 10-26-2009   #7 (permalink)
Just Joined!
 
Join Date: Jan 2007
Posts: 15
OK. So sequential even ?

xwulfgar.
xwulfgar is offline   Reply With Quote
Old 10-27-2009   #8 (permalink)
Just Joined!
 
Join Date: Dec 2006
Posts: 52
Yep...That is how it works...
ennoil is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Free Magazines
Run Your Own Web Server Using Linux & Apache - Free 191 Page Preview
Learn about everything you'll need to build and maintain your Linux servers, and to deploy Web applications to them.
subscribe
Open Source Security Myths Dispelled
Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization
subscribe
InformationWeek
InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology.
subscribe



All times are GMT. The time now is 05:30 PM.






© 2000 - - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.3.1