Re: [squid-users] cannot block a particular website

From: Amos Jeffries <squid3@dont-contact.us>
Date: Thu, 02 Aug 2007 00:20:49 +1200

Mayuresh M Murkunde wrote:
> Hi all
>
>
> I want to block site over my network, but i'm unable to do it...
>
>
> 1)google chat
> The simple acl said that it would be be blocked throgh acl statements,
> But that never helped me, finally i took the help of host file and solve the
> problem.
> I edited a host file, made a following entry
> 127.0.0.1 chatenabled.mail.google.com
> And now its working as i had required.
>
>
> 2)www.nseindia.com & online vedio cliping sites like youtube.com and others.
> I'm not finding a proper solution for blocking this particular sites...
> I'm pasting my squid configuration file.

I see your problem immediately.

Firstly - *_access are checked in sequence with first match being used.

Secondly - "deny !x" means immediately deny everything not listed in x

Between those two details you should be able to see the problem also.

Try replacing all your twisted http_access with these (in this order):

   acl nseindia dstdomain .nseindia.com
   acl youtube dstdomain .youtube.com

   http_access allow manager localhost
   http_access deny manager

   http_access deny !Safe_ports
   http_access deny CONNECT !SSL_ports

   http_access allow office
   http_access deny google_block
   http_access deny nseindia
   http_access deny youtube
   http_access allow our_networks

   http_access deny all

OR if you don't like the length of the allow our_networks line you could
use:

<snip extra config>
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl all src 0.0.0.0/0.0.0.0
>
> # this is to block the sites, lets c how it works
> acl go4_sites dstdom_regex -i "/etc/squid/blocked/bsite.acl"
> acl go2 url_regex -i ^http://www.nseindia.com/

eww, DONT use regex unless you absolutely have to have a regex expresion.
The above is better done with a 'dstdomain' ACL:

       acl nseindia dstdomain .nseindia.com

<snip lots of broken http_access design>

> visible_hostname linux

This should be a FQDN ie linux.example.com

>
> httpd_accel_host linux
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on

Hmm, squid 2.5 config. If you need transparency upgrade to 2.6, much
easier and better for it.

> logfile_rotate 9
>
> deny_info ERR_BLOCKED_FILES f29
> deny_info ERR_BLOCKED_FILES junklist
>
> #acl denydomain dstdomain talk.google.com
> #http_access deny denydomain

yep another useless http_access line.

<snip final config details>

HTH
Amos
Received on Wed Aug 01 2007 - 06:21:01 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Sep 01 2007 - 12:00:03 MDT