Re: [squid-users] Invoked sites by allowed websites.

From: Adrian Chadd <adrian@dont-contact.us>
Date: Thu, 13 Dec 2007 09:52:05 +0900

On Wed, Dec 12, 2007, Cody Jarrett wrote:
> I'm using squid 2.6 and have it configured to block all websites
> except for a few that I specify are ok. The problem I'm having is,
> several sites that are fine to access, such as kbb.com, have content
> invoked from other sites. So when I view kbb.com for example, the page
> is missing most it's content and looks really messed up in firefox,
> and this happens with other sites. Is there some way to allow access
> to approved sites, and further sites that are invoked?

There's no easy way for squid (or any proxy, really!) to properly
determine "and further sites that are invoked."

You could possibly allow access based on referrer URL as well - which
should show up as having been referred by your list of approved URLs -
but referrer URLs can't be trusted as anyone can just fake them.

Adrian

> http_port 10.1.0.1:3128
> http_port 127.0.0.1:3128
> visible_hostname server.blah.com
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_dir ufs /var/spool/squid 400 16 256
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #allow only the sites listed in the following file
> acl goodsites dstdom_regex "/etc/squid/allowed-sites.squid"
> http_access allow goodsites
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
>
> acl lan_network src 10.1.1.0/24
>
> #deny http access to all other sites
> http_access deny lan_network
> http_access deny itfreedom_network
> http_access allow localhost
> http_access deny all
> acl to_lan_network dst 10.1.45.0/24
> http_access allow to_lan_network
> http_reply_access allow all
> icp_access allow all

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Received on Wed Dec 12 2007 - 17:45:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST