Re: [squid-users] Re: using squid with dnsmasq and hosts file

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 18 Jul 2008 17:36:04 +1200

Troy Piggins wrote:
> * Amos Jeffries wrote :
>> Troy Piggins wrote:
>>> Not sure if this is a squid or dnsmasq problem, so hope you don't
>>> mind me asking same question in 2 lists.
>>>
>>> I'm using squid3 as a transparent proxy by redirecting port 80
>>> in iptables, and dnsmasq as well. This all works fine. But now
>>> I'm trying to utilise the mvps hosts file to block malicious
>>> URLs and am having trouble getting squid to recognise this hosts
>>> file.
> <snip />
>>> But from a browser if I try to view a website listed in the mvps
>>> hosts file, I don't get the blocked site message page, I get the
>>> real (malicious) one.
>>>
>>> IIUC squid should be reading /etc/resolv.conf for DNS? Mine is
>>>
>>> nameserver 127.0.0.1
>>> search isp.invalid
>>>
>>> And so if it's using localhost and DNS, that's dnsmasq and the
>>> mvps hosts file should come into play.
>>>
>>> What am I missing?
>> Squid only loads the /etc/resolv.conf and /etc/hosts files. No other
>> special ones.
>
> Understood, but I was assuming that since my /etc/resolv.conf
> points to localhost as a nameserver and that nameserver uses the
> mvps hosts file those entries would be used. Hmm...

Ah, yes that should work also. IFF its the only nameserver.

>
>>> As an alternative, I've seen reference to using mvps entries
>>> somehow in squid.conf acls or rules, but haven't found a good
>>> explanation of /how/ to do this or examples. Any pointers there
>>> if that's the better way to go?
>> From the Squid point of view...
>>
>> Probably a custom external ACL processor. If the mvps format is simple
>> it should be relatively easy to construct.
>
> The mvps hosts file looks exactly like /etc/hosts file format.

K. In that case the squid.conf option hosts_file should be usable for
squid without even needing the localhost resolver
http://www.squid-cache.org/Versions/v3/3.0/cfgman/hosts_file.html

>
>> The simplest way though, is to use a plain dstdomain ACL, possibly with
>> the entries in a file for easy management.
>>
>> You then use the custom ACL helper, http_access, and deny_info URL to
>> provide the custom denial webpage for visitors.
>>
>> http://www.squid-cache.org/Versions/v3/3.0/cfgman/external_acl_type.html
>> http://www.squid-cache.org/Versions/v3/3.0/cfgman/http_access.html
>> http://www.squid-cache.org/Versions/v3/3.0/cfgman/deny_info.html
>
> Thankyou for those links. I'll look into it.
>

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Fri Jul 18 2008 - 05:35:56 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 18 2008 - 12:00:04 MDT