Re: [squid-users] apache locked.

From: Muthukumar <kmuthu_gct@dont-contact.us>
Date: Thu, 17 Jun 2004 12:58:06 +0530

> i run squid on my pc act as gateway, and also run webserver on it. after i
> have problem with ipchains rules for restricting my pc on network, i'm use
> acl for restricting. but right now my webserver locked, can't be accessed
> from outside. did i make a mistake on squid.conf ?

Lets look in to the squid.conf.

> and i also need example
> acl to block some sites that contain xxx, porn,babes etc
>

create an acl with dstdomain_regex as
acl blocksite dstdomain_regex -i xxx porn babes

where -i is used to Ignore uppercase/lowercase distinctions during comparisons

> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl ictnetwork src 192.168.2.2 192.168.2.3 192.168.2.4 192.168.2.5
> 192.168.2.29 192.168.2.30
> acl amcorpc src 192.168.2.21 192.168.2.22 192.168.2.23 192.168.2.24

If you use the src acl, use the netmask with the ip-address. We can use the limit of ip-address in your situation as like

acl ictnetwork src 192.168.2.2-192.168.2.5/32 192.168.2.29-192.168.2.30/32
acl amcorpc src 192.168.2.21-192.168.2.24/32

> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443 563
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT

These are all default settings.

> acl local dstdomain "allowedhost"
> acl localip dst "allowedip"

what is the contents in the allowedhost,allowedip files and their locations.

> acl ebsco dstdom_regex epnet.com

If you want to set the acl for *.epnet.com domain use dstdomain itself as
acl ebsco dstdom .epnet.com

> http_access allow manager localhost
> http_access allow ictnetwork
> http_access allow amcorpc local
> http_access allow amcorpc localip
> http_access allow amcorpc ebsco
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
>

what is your requirement to set the http_access? It is good to validate your settings.

Regards,
Muthukumar.

---
===============  It is a "Virus Free Mail" ===============
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.707 / Virus Database: 463 - Release Date: 6/15/2004
Received on Thu Jun 17 2004 - 01:28:09 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jul 01 2004 - 12:00:02 MDT