RE: Squid ACLs does not work
I disagree with your disagreement -grin- Plain ACLs are too slow especially on a large and/or busy cache. -- From: Onno[SMTP:[EMAIL PROTECTED] Sent: Sunday, 26 March 2000 12:58 AM To: [EMAIL PROTECTED]; '[EMAIL PROTECTED]' Cc: 'debian-user@lists.debian.org' Subject:Re: Squid ACLs does not work At 11:35 AM 3/24/00 +1200, C. Falconer wrote: [snip] Squid ACLs are messy and not really intended for filtering based on URLs - rather they seem to be for controlling what machines can access your squid cache, and which domains your clients get direct (uncached) access to. I do not agree with you: acl proxyallow url_regex /etc/squid.allow acl proxydeny url_regex /etc/squid.deny and http_access allow proxyallow allowed_hosts http_access deny proxydeny http_access allow allowed_hosts http_access deny all In my squid file do the job just fine! The allow and deny files are all the tools you need. The keywords are flat ASCII and row based and give all the flexibility you need. I don't see the need for any extra software. Regards, Onno -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
RE: Squid ACLs does not work
Can you give me any figures? Regards, Onno At 01:26 PM 3/26/00 +1200, C. Falconer wrote: I disagree with your disagreement -grin- Plain ACLs are too slow especially on a large and/or busy cache. -- From: Onno[SMTP:[EMAIL PROTECTED] Sent: Sunday, 26 March 2000 12:58 AM To:[EMAIL PROTECTED]; '[EMAIL PROTECTED]' Cc:'debian-user@lists.debian.org' Subject: Re: Squid ACLs does not work At 11:35 AM 3/24/00 +1200, C. Falconer wrote: [snip] Squid ACLs are messy and not really intended for filtering based on URLs - rather they seem to be for controlling what machines can access your squid cache, and which domains your clients get direct (uncached) access to. I do not agree with you: acl proxyallow url_regex /etc/squid.allow acl proxydeny url_regex /etc/squid.deny and http_access allow proxyallow allowed_hosts http_access deny proxydeny http_access allow allowed_hosts http_access deny all In my squid file do the job just fine! The allow and deny files are all the tools you need. The keywords are flat ASCII and row based and give all the flexibility you need. I don't see the need for any extra software. Regards, Onno -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Squid ACLs does not work
OK, I've tried it on my setup and the answer seems to be that you have your http_access statements in the wrong order; try re-arranging this section of squid.conf as follows: http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny BanDomains http_access allow localdomain AFAICT, squid uses the first matching ACL that it can find; because you had http_access allow localdomain at the head of the list, squid allows any request from localdomain without reference to subsequent controls. This would also make it important to place these http_access statements after those controlling access to the cachemanager, etc. On Fri, Mar 24, 2000 at 09:09:04PM +0100, [EMAIL PROTECTED] wrote Yes, I ran /etc/init.d/squid restart to reload the config file and the /etc/ban_domains.squid is readable to all, so this should no be a problem. Sven On 24-Mar-2000 John Pearson wrote: On Thu, Mar 23, 2000 at 11:13:42PM +0100, [EMAIL PROTECTED] wrote Hi, I have some problems with squid and its ACLs. I'm using Debian 2.2 with Kernel 2.2.13 and squid 2.2STABLE5. My ACL section in /etc/squid.conf looks like the following. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl purge method PURGE acl CONNECT method CONNECT acl BanDomains dstdomain /etc/ban_domains.squid acl localdomain srcdomain localdomain.own : http_access allow localdomain http_access deny BanDomains http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports And the file /etc/ban_domains.squid looks like... netscape.com microsoft.com msdn.com realnetworks.com But when I try connect to www.microsoft.com the proxy rersolves the hostname and connects. (My browser is configured to use the proxy, of course...). Does anyone have an idea where I made a mistake? HTH, John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] Oh - I - you know - my job is to fear everything. - Bill Gates in Denmark
Re: Squid ACLs does not work
At 11:35 AM 3/24/00 +1200, C. Falconer wrote: [snip] Squid ACLs are messy and not really intended for filtering based on URLs - rather they seem to be for controlling what machines can access your squid cache, and which domains your clients get direct (uncached) access to. I do not agree with you: acl proxyallow url_regex /etc/squid.allow acl proxydeny url_regex /etc/squid.deny and http_access allow proxyallow allowed_hosts http_access deny proxydeny http_access allow allowed_hosts http_access deny all In my squid file do the job just fine! The allow and deny files are all the tools you need. The keywords are flat ASCII and row based and give all the flexibility you need. I don't see the need for any extra software. Regards, Onno
Re: Squid ACLs does not work
Gidday dude. (cc'd to the list because your email address is poked.) I run squid as the sole cache for a medium sized school network (100 PCs in an NT domain with a satellite dish at about 400 kbit/s) We need to censor (or be seen to make an effort to censor) web content. First we used Cyberpatrol and MS Proxy on the NT server, but a twin PII 350 NT server could not keep up with it. So I used squidGuard (with a G) and squid to filter. squidGuard is an external redirector - squid will spawn X copies of it and use them to check a URL. squidGuard can have a million URLs and will only take a second to scan, or about 10 to 12 regular expressions will add a second too. I simply use the regexp /ad/|/ads/|/chat/|/irc/|/mail/ and that blocks 50 % of sites we don't want (chat rooms and web based email) When I see a site flit past on the console or see a student using one that should be blocked I simply add it to a raw text file, which is then compiled into a berkley DB and squid gets reconfigured. Squid ACLs are messy and not really intended for filtering based on URLs - rather they seem to be for controlling what machines can access your squid cache, and which domains your clients get direct (uncached) access to. Yell out if you want a copy of my filter files. -- From: [EMAIL PROTECTED]:[EMAIL PROTECTED] Sent: Friday, 24 March 2000 10:13 AM To: debian-user@lists.debian.org Subject:Squid ACLs does not work Hi, I have some problems with squid and its ACLs. I'm using Debian 2.2 with Kernel 2.2.13 and squid 2.2STABLE5. My ACL section in /etc/squid.conf looks like the following. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl purge method PURGE acl CONNECT method CONNECT acl BanDomains dstdomain /etc/ban_domains.squid acl localdomain srcdomain localdomain.own : http_access allow localdomain http_access deny BanDomains http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports And the file /etc/ban_domains.squid looks like... netscape.com microsoft.com msdn.com realnetworks.com But when I try connect to www.microsoft.com the proxy rersolves the hostname and connects. (My browser is configured to use the proxy, of course...). Does anyone have an idea where I made a mistake? Thanks. Sven -- Please reply only to [EMAIL PROTECTED] -- Date: 23-Mar-2000 Time: 23:07:15 -- -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Squid ACLs does not work
On Thu, Mar 23, 2000 at 11:13:42PM +0100, [EMAIL PROTECTED] wrote Hi, I have some problems with squid and its ACLs. I'm using Debian 2.2 with Kernel 2.2.13 and squid 2.2STABLE5. My ACL section in /etc/squid.conf looks like the following. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl purge method PURGE acl CONNECT method CONNECT acl BanDomains dstdomain /etc/ban_domains.squid acl localdomain srcdomain localdomain.own : http_access allow localdomain http_access deny BanDomains http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports And the file /etc/ban_domains.squid looks like... netscape.com microsoft.com msdn.com realnetworks.com But when I try connect to www.microsoft.com the proxy rersolves the hostname and connects. (My browser is configured to use the proxy, of course...). Does anyone have an idea where I made a mistake? I'm assuming that squid's file ACLs work; I've never used them myself. Is /etc/ban_domains.squid readable by the user which Squid is running as? Have you done /etc/init.d/squid reload since adding those domains to the file? John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] Oh - I - you know - my job is to fear everything. - Bill Gates in Denmark
Re: Squid ACLs does not work
Yes, I ran /etc/init.d/squid restart to reload the config file and the /etc/ban_domains.squid is readable to all, so this should no be a problem. Sven On 24-Mar-2000 John Pearson wrote: On Thu, Mar 23, 2000 at 11:13:42PM +0100, [EMAIL PROTECTED] wrote Hi, I have some problems with squid and its ACLs. I'm using Debian 2.2 with Kernel 2.2.13 and squid 2.2STABLE5. My ACL section in /etc/squid.conf looks like the following. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl purge method PURGE acl CONNECT method CONNECT acl BanDomains dstdomain /etc/ban_domains.squid acl localdomain srcdomain localdomain.own : http_access allow localdomain http_access deny BanDomains http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports And the file /etc/ban_domains.squid looks like... netscape.com microsoft.com msdn.com realnetworks.com But when I try connect to www.microsoft.com the proxy rersolves the hostname and connects. (My browser is configured to use the proxy, of course...). Does anyone have an idea where I made a mistake? I'm assuming that squid's file ACLs work; I've never used them myself. Is /etc/ban_domains.squid readable by the user which Squid is running as? Have you done /etc/init.d/squid reload since adding those domains to the file? John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] Oh - I - you know - my job is to fear everything. - Bill Gates in Denmark -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Please reply only to [EMAIL PROTECTED] -- Date: 24-Mar-2000 Time: 21:07:50 --
Squid ACLs does not work
Hi, I have some problems with squid and its ACLs. I'm using Debian 2.2 with Kernel 2.2.13 and squid 2.2STABLE5. My ACL section in /etc/squid.conf looks like the following. acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 21 443 563 70 210 1025-65535 acl purge method PURGE acl CONNECT method CONNECT acl BanDomains dstdomain /etc/ban_domains.squid acl localdomain srcdomain localdomain.own : http_access allow localdomain http_access deny BanDomains http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports And the file /etc/ban_domains.squid looks like... netscape.com microsoft.com msdn.com realnetworks.com But when I try connect to www.microsoft.com the proxy rersolves the hostname and connects. (My browser is configured to use the proxy, of course...). Does anyone have an idea where I made a mistake? Thanks. Sven -- Please reply only to [EMAIL PROTECTED] -- Date: 23-Mar-2000 Time: 23:07:15 --
