Re: [squid-users] Squid3 on ubuntu 10.4 problem using acl whitelist in external file

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 25 May 2010 03:02:41 +0000

On Mon, 24 May 2010 11:44:06 -0700 (PDT), MM Gillon <margaretgi_at_yahoo.com>
wrote:
> First I am new at working with networks. Most of the IT staff were
> downsized last year including the administrator. I am a database
> programmer. I like ubuntu and have an ubuntu database server. I am
trying
> to use an ubuntu server as a squid proxy so that Windows workstations on
a
> manufacturing floor can only go to company web sites on a whitelist. I
am
> manually configuring the workstations to go to this proxy server. Squid3
> loads okay without error messages. I know it is seeing the whitelist.txt
> file because I get an error if the file is not present. However SQUID
will
> not allow any addresses to load even those in the white list. Below is
my
> squid.conf and my whitelist.txt file. The message in the Squid log is
> below. The message on the browser screen confirms that squid is blocking
> the address. I tried the same software and configuration on ubuntu 8.04
and
> had the same issues. Thank you.
>

I know it is a bit late and you already have a working solution.
But here is my 2c on your config...

>
> 1274724540.610 193 192.168.100.9 TCP_DENIED/403 2710 GET
> http://www.unicef.org/ - NONE/- text/html
>
>
>
> #whitelist.txt
> .gov
> .sheepguardingllama.com
> .org
> .chromalloy.com
>
> #squid.conf
> #Recommended minimum configuration:
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 192.168.100.0/255.255.255.0,
192.168.101.0/255.255.255.0

comma in the above is not valid squid.conf syntax. And CIDR is preferred.
That line should be:
  acl localnet src 192.168.100.0/24 192.168.101.0/24

> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
>
> http_access deny to_localhost
> icp_access deny all
> htcp_access deny all
>
> http_port 3128
> hierarchy_stoplist cgi-bin ?
> access_log /var/log/squid3/access.log squid
>
> #We recommend you to use the following two lines.
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

The above QUERY lines are now obsolete. Use the refresh_pattern mentioned
below.

>
> #Suggested default:
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440

Add this pattern right here in the sequence:

  refresh_pattern -i (/cgi-bin/|\?) 0 0 % 0

> refresh_pattern . 0 20% 4320
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid3
>
> acl whitelist dstdomain "/etc/squid3/whitelist.txt"
>
> http_access deny !localnet
> http_access deny !whitelist
> http_access deny all

Alternative to the way you have now:

 # Allow localnet machines to whitelisted sites
 http_access allow localnet whitelist

 # block all other access
 http_access deny all

This is a better alternative to just "http_access allow whitelist" which
would permit external people to visit the whitelisted sites as well as
internal machines.

Amos
Received on Tue May 25 2010 - 03:02:49 MDT

This archive was generated by hypermail 2.2.0 : Tue May 25 2010 - 12:00:06 MDT