Re: [squid-users] setting up different filtering based on port number

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Feb 2010 10:00:49 +1300

On Mon, 15 Feb 2010 14:23:12 -0600 (CST), Al - Image Hosting Services
<azick_at_zickswebventures.com> wrote:
> Hi,
>
> On Mon, 15 Feb 2010, Amos Jeffries wrote:
>> On Sun, 14 Feb 2010 18:21:25 -0600 (CST), Al - Image Hosting Services
>> <azick_at_zickswebventures.com> wrote:
>>> Hi,
>>>
>>> I know that this is a little bit off topic for this list, but I asked
on
>>
>>> the squidguard list and they said that I need to run 2 instances of
>> squid.
>>> I know that squid can listen on 2 ports very easily, and I have setup
>>> squid to listen on 2 different ports. Port 8080 uses squidguard to
>> filter,
>>> but port 8081 doesn't. What I would really like to be able to do is to
>>> have less restrictive filtering on port 8081. For example, I would
like
>> to
>>> block youtube on port 8080, but not on port 8081. Still I would like
to
>> be
>>> able to block porn on port 8081. Could someone give me some assistance
>> on
>>> how to do this or point me to a how to?
>>>
>>> Best Regards,
>>> Al
>>
>> Use of the "myport" ACL type and url_rewrite_access to prevent things
>> being sent to the squidguard re-writer.
>>
>> http://www.squid-cache.org/Doc/config/url_rewrite_access/
>
> I should have explained that differently, so I will give it another try.
>
> This is what I have in my squid.conf now:
>
> acl custom-auth proxy_auth REQUIRED
> acl mysite dstdomain .zickswebventures.com
> acl portA myport 8080
> acl portB myport 8081
> url_rewrite_access allow portA
> url_rewrite_program /bin/squidGuard -c /etc/squid/squidGuard.conf
> url_rewrite_children 3
> http_access allow mysite
> http_access allow custom-auth all
> http_access deny all
>
> It works perfectly, requests sent to portA are filtered and requests
that
> are sent to portB are not, but I need to add sort of an intermediate
level
> of filtering.
>
> Solution 1: It looks like squidguard can filter based on IP. If I
created
> a portC in squid.conf, should I be able to add this to my
squidguard.conf:
>
> src portC {
> ip 0.0.0.0:8082
> }
>
> src portA {
> ip 0.0.0.0:8080
> }
>
> My question is, does squid pass the port along with the IP address to
> squidguard? If it does, then is my config wrong or does squidguard just
> not know what to do with the port information?
>

Squid will never pass the IP "0.0.0.0" to squidguard. All IPs handled are
routable.
So I expect that will never patch properly.

> Solution 2: Call 2 instances of squidguard with a different config.
> Although, I don't know if this is possible without knowing more about
how
> squid passes information to squidguard.
>
> Solution 3: Create a blocklist within squid of maybe 5 to 30 sites, so
my
> squid.conf would like:
>
> acl custom-auth proxy_auth REQUIRED
> acl mysite dstdomain .zickswebventures.com
> acl block dstdomain .facebook.com .twitter.com
> acl portA myport 8080
> acl portB myport 8081
> acl portB myport 8082
>
> url_rewrite_access allow portA portB
> url_rewrite_program /bin/squidGuard -c /etc/squid/squidGuard.conf
> url_rewrite_children 3
> http_access allow mysite
> http_access allow custom-auth all
> http_access deny all
>
> Of course, the blank line is where I would need to tell squid to
redirect
> to the the zickswebvenutres.com/blocked.html if it sees a one of the
urls
> being blocked, but only on portA. Could this be done?

You seem to misunderstand how ACL work.

Read this:
  http://wiki.squid-cache.org/SquidFaq/SquidAcl#Common_Mistakes

Then consider this:
  url_rewrite_access allow portA
  url_rewrite_access allow portB !block
  url_rewrite_access deny all

Or better yet do a real HTTP redirection by Squid instead:

  deny_info http://zickswebvenutres.com/blocked.html block
  http_access deny portA block

Amos
Received on Mon Feb 15 2010 - 21:00:56 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 16 2010 - 12:00:05 MST