[squid-users] Re: using squid with dnsmasq and hosts file

From: Troy Piggins <troy_at_piggo.com>
Date: Fri, 18 Jul 2008 12:14:19 +1000

* Amos Jeffries wrote :
> Troy Piggins wrote:
>> Not sure if this is a squid or dnsmasq problem, so hope you don't
>> mind me asking same question in 2 lists.
>>
>> I'm using squid3 as a transparent proxy by redirecting port 80
>> in iptables, and dnsmasq as well. This all works fine. But now
>> I'm trying to utilise the mvps hosts file to block malicious
>> URLs and am having trouble getting squid to recognise this hosts
>> file.
<snip />
>> But from a browser if I try to view a website listed in the mvps
>> hosts file, I don't get the blocked site message page, I get the
>> real (malicious) one.
>>
>> IIUC squid should be reading /etc/resolv.conf for DNS? Mine is
>>
>> nameserver 127.0.0.1
>> search isp.invalid
>>
>> And so if it's using localhost and DNS, that's dnsmasq and the
>> mvps hosts file should come into play.
>>
>> What am I missing?
>
> Squid only loads the /etc/resolv.conf and /etc/hosts files. No other
> special ones.

Understood, but I was assuming that since my /etc/resolv.conf
points to localhost as a nameserver and that nameserver uses the
mvps hosts file those entries would be used. Hmm...

>> As an alternative, I've seen reference to using mvps entries
>> somehow in squid.conf acls or rules, but haven't found a good
>> explanation of /how/ to do this or examples. Any pointers there
>> if that's the better way to go?
>
> From the Squid point of view...
>
> Probably a custom external ACL processor. If the mvps format is simple
> it should be relatively easy to construct.

The mvps hosts file looks exactly like /etc/hosts file format.

> The simplest way though, is to use a plain dstdomain ACL, possibly with
> the entries in a file for easy management.
>
> You then use the custom ACL helper, http_access, and deny_info URL to
> provide the custom denial webpage for visitors.
>
> http://www.squid-cache.org/Versions/v3/3.0/cfgman/external_acl_type.html
> http://www.squid-cache.org/Versions/v3/3.0/cfgman/http_access.html
> http://www.squid-cache.org/Versions/v3/3.0/cfgman/deny_info.html

Thankyou for those links. I'll look into it.

-- 
Troy Piggins
Received on Fri Jul 18 2008 - 02:14:36 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 18 2008 - 12:00:04 MDT