Re: [squid-users] Whitelist domain ignored?

2016-10-07 Thread Matus UHLAR - fantomas 

On 6/10/2016 11:56 a.m., Jose Torres-Berrocal wrote:

acl whitelist2 dstdom_regex -i "whitelist.acl"

Where whitelist.acl content:
^familymedicinepr\.com$
^mail\.yahoo\.com$
^neodecksoftware\.com$
^office\.net$
\.familymedicinepr\.com$
\.mail\.yahoo\.com$
\.neodecksoftware\.com$
\.office\.net$



On 10/05/2016 11:45 PM, Amos Jeffries wrote:

There is a simpler way if you are going to insisit on regex instead of
dstdomain. Starting the pattern with an optional '.' character:  \.?

So whitelist.acl content:

\.?familymedicinepr\.com$
\.?mail\.yahoo\.com$
\.?neodecksoftware\.com$
\.?office\.net$



On Thu, Oct 6, 2016 at 1:28 PM, Alex Rousskov 
 wrote:

That simpler way is incorrect AFAICT: The top/correct ACL list does not
match "xoffice.net" but yours does.


On 06.10.16 13:52, Jose Torres-Berrocal wrote:

"dstdomain .office.net" does not match xoffice.net domain.  I do not
want to match xoffice.net with the regex.


That's precisely why Alex noted that Amos' regex is incorrect.

In fact:

acl whitelist2 dstdomain .neodecksoftware.com

is equivalent to:

acl whitelist2 dstdom_regex ^neodecksoftware\.com$ .*\.neodecksoftware\.com$

or:

acl whitelist2 dstdom_regex ^(.*\.)?neodecksoftware\.com$

because is matches domain itself (neodecksoftware.com) as long as subdomains
(*.neodecksoftware.com).

And this is why Amos said that:
"Using dstdomain in this case is better though since the comparison is
shorter and faster than regex."

whenever you can, use dstdomain insted of dstdom_regex.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-06 Thread Jose Torres-Berrocal 
Benjamin:

The situation is that I am using squid as a pfsense firewall package.
The squid package is made that a user should enter a whitelist in a
GUI that when saved generates the squid.conf file.  Internally they
use dstdom_regex  instead of dstdomain so the whitelist should be
entered for the regex format not for the dstdomain format.

The squid package maintainer probably made a mistake or do not have a
full understanding of the dstdom_regex, or was lazy explaining how the
whitelist box in his GUI was supposed to be used.

I want to know the correct format to make it work correctly and post
the formula in the pfsense forum as others could benefit from your
support.   I want to provide how to use dstdomain withing the package
GUI capacities and the regex correct use.  Others will decide the
solution they will use.


Jose E Torres
939-777-4030
JET System Services


On Thu, Oct 6, 2016 at 1:57 PM, Benjamin E. Nichols
 wrote:
> I think you are creating more work for yourself. What is the practical
> advantage using regex. When you clearly arent doing url blacklisting. But
> rather domain blacklisting. Its uneccesary and pointless.
>
>
>  Benjamin  E. Nichols
>
> http://www.squidblacklist.org
>
>
> 1-405-397-1360
>
>
> -- Original message--
>
> From: Jose Torres-Berrocal
>
> Date: Thu, Oct 6, 2016 12:52 PM
>
> To: Alex Rousskov;
>
> Cc: Squid Users;
>
> Subject:Re: [squid-users] Whitelist domain ignored?
>
>
> "dstdomain .office.net" does not match xoffice.net domain.  I do notwant to
> match xoffice.net with the regex.So I should use my own last version,
> right?Jose E Torres939-777-4030JET System ServicesOn Thu, Oct 6, 2016 at
> 1:28 PM, Alex Rousskov wrote:> On 10/05/2016 11:45 PM, Amos Jeffries
> wrote:>> On 6/10/2016 11:56 a.m., Jose Torres-Berrocal wrote:>>> acl
> whitelist2 dstdom_regex -i "whitelist.acl">> Where whitelist.acl
> content:>>> ^familymedicinepr.com$>>> ^mail.yahoo.com$>>>
> ^neodecksoftware.com$>>> ^office.net$>>> .familymedicinepr.com$>>>
> .mail.yahoo.com$>>> .neodecksoftware.com$>>> .office.net$ There is a
> simpler way if you are going to insisit on regex instead of>> dstdomain.
> Starting the pattern with an optional '.' character:  .? So
> whitelist.acl content: .?familymedicinepr.com$>> .?mail.yahoo.com$>>
> .?neodecksoftware.com$>> .?office.net$>> That simpler way is incorrect
> AFAICT: The top/correct ACL list does not> match "xoffice.net" but yours
> does.>> Alex.>___squid-users
> mailing
> listsquid-users@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-06 Thread Jose Torres-Berrocal 
"dstdomain .office.net" does not match xoffice.net domain.  I do not
want to match xoffice.net with the regex.

So I should use my own last version, right?
Jose E Torres
939-777-4030
JET System Services


On Thu, Oct 6, 2016 at 1:28 PM, Alex Rousskov
 wrote:
> On 10/05/2016 11:45 PM, Amos Jeffries wrote:
>> On 6/10/2016 11:56 a.m., Jose Torres-Berrocal wrote:
>>> acl whitelist2 dstdom_regex -i "whitelist.acl"
>>>
>>> Where whitelist.acl content:
>>> ^familymedicinepr\.com$
>>> ^mail\.yahoo\.com$
>>> ^neodecksoftware\.com$
>>> ^office\.net$
>>> \.familymedicinepr\.com$
>>> \.mail\.yahoo\.com$
>>> \.neodecksoftware\.com$
>>> \.office\.net$
>
>
>> There is a simpler way if you are going to insisit on regex instead of
>> dstdomain. Starting the pattern with an optional '.' character:  \.?
>>
>> So whitelist.acl content:
>>
>> \.?familymedicinepr\.com$
>> \.?mail\.yahoo\.com$
>> \.?neodecksoftware\.com$
>> \.?office\.net$
>
> That simpler way is incorrect AFAICT: The top/correct ACL list does not
> match "xoffice.net" but yours does.
>
> Alex.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-06 Thread Alex Rousskov 
On 10/05/2016 11:45 PM, Amos Jeffries wrote:
> On 6/10/2016 11:56 a.m., Jose Torres-Berrocal wrote:
>> acl whitelist2 dstdom_regex -i "whitelist.acl"
>>
>> Where whitelist.acl content:
>> ^familymedicinepr\.com$
>> ^mail\.yahoo\.com$
>> ^neodecksoftware\.com$
>> ^office\.net$
>> \.familymedicinepr\.com$
>> \.mail\.yahoo\.com$
>> \.neodecksoftware\.com$
>> \.office\.net$


> There is a simpler way if you are going to insisit on regex instead of
> dstdomain. Starting the pattern with an optional '.' character:  \.?
> 
> So whitelist.acl content:
> 
> \.?familymedicinepr\.com$
> \.?mail\.yahoo\.com$
> \.?neodecksoftware\.com$
> \.?office\.net$

That simpler way is incorrect AFAICT: The top/correct ACL list does not
match "xoffice.net" but yours does.

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-05 Thread Amos Jeffries 
On 6/10/2016 11:56 a.m., Jose Torres-Berrocal wrote:
> Correcting typo:
> 
> And placing it inside a whitelist.acl file:
> acl whitelist2 dstdom_regex -i "whitelist.acl"
> 
> Where whitelist.acl content:
> ^familymedicinepr\.com$
> ^mail\.yahoo\.com$
> ^neodecksoftware\.com$
> ^office\.net$
> \.familymedicinepr\.com$
> \.mail\.yahoo\.com$
> \.neodecksoftware\.com$
> \.office\.net$
> 

Yes.

There is a simpler way if you are going to insisit on regex instead of
dstdomain. Starting the pattern with an optional '.' character:  \.?

So whitelist.acl content:

\.?familymedicinepr\.com$
\.?mail\.yahoo\.com$
\.?neodecksoftware\.com$
\.?office\.net$


Using dstdomain in this case is better though since the comparison is
shorter and faster than regex.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-05 Thread Jose Torres-Berrocal 
Lets try again:

acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
.neodecksoftware.com .office.net
=
acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
^neodecksoftware\.com$ ^office\.net$ \.familymedicinepr\.com$
\.mail\.yahoo\.com$ \.neodecksoftware\.com$ \.office\.net$

And placing it inside a whitelist.acl file:
acl whitelist2 dstdom_regex -i "whitelist.acl"

Where whitelist.acl content:
.^familymedicinepr\.com$
^mail\.yahoo\.com$
^neodecksoftware\.com$
^office\.net$
\.familymedicinepr\.com$
\.mail\.yahoo\.com$
\.neodecksoftware\.com$
\.office\.net$

Jose E Torres
939-777-4030
JET System Services


On Wed, Oct 5, 2016 at 5:07 PM, Alex Rousskov
 wrote:
> On 10/05/2016 02:59 PM, Jose Torres-Berrocal wrote:
>> Please confirm equivalence:
>>
>> 1.
>> acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
>> .neodecksoftware.com .office.net
>> =
>> acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
>> ^neodecksoftware\.com$ ^office\.net$
>>
>> OR
>>
>> 2.
>> acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
>> .neodecksoftware.com .office.net
>> =
>> acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
>> ^neodecksoftware\.com$ ^office\.net$ \familymedicinepr\.com$
>> \mail\.yahoo\.com$ \neodecksoftware\.com$ \office\.net$
>
>
> Neither pair contains equivalent ACLs. The second attempt was closer to
> the correct version but you missed the leading "." in the first of the
> two regular expressions for each domain. For example, it is
> "\.office\.net$" not "\office\.net$".
>
> I also recommend splitting dstdom_regex ACL into multiple lines, one
> regular expression per line, for readability sake.
>
>
> As others have already recommended, it is best to learn how regular
> expressions work before proceeding further. They are a very valuable
> tool for a sysadmin!
>
> Alex.
>
>
>> On Wed, Oct 5, 2016 at 4:43 PM, Alex Rousskov wrote:
>>> To map any leaf FQDN "foo.bar.baz":
>>>
>>>   1. start with "^";
>>>   2. add "foo.bar.baz" where every period is escaped with "\";
>>>   3. end with "$".
>>>
>>>   In summary, use the following regular expression: ^foo\.bar\.baz$
>>>
>>>
>>> To map a whole ".bar.baz" domain, including any subdomains, use the
>>> following two regular expressions:
>>>
>>>   \.bar\.baz$
>>>   ^bar\.baz$
>>>
>>> This untested suggestion is based on how regular expressions work; it
>>> assumes that Squid does not add anything to the specified expressions.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-05 Thread Jose Torres-Berrocal 
Correcting typo:

And placing it inside a whitelist.acl file:
acl whitelist2 dstdom_regex -i "whitelist.acl"

Where whitelist.acl content:
^familymedicinepr\.com$
^mail\.yahoo\.com$
^neodecksoftware\.com$
^office\.net$
\.familymedicinepr\.com$
\.mail\.yahoo\.com$
\.neodecksoftware\.com$
\.office\.net$
Jose E Torres
939-777-4030
JET System Services


On Wed, Oct 5, 2016 at 6:53 PM, Jose Torres-Berrocal
 wrote:
> Lets try again:
>
> acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
> .neodecksoftware.com .office.net
> =
> acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
> ^neodecksoftware\.com$ ^office\.net$ \.familymedicinepr\.com$
> \.mail\.yahoo\.com$ \.neodecksoftware\.com$ \.office\.net$
>
> And placing it inside a whitelist.acl file:
> acl whitelist2 dstdom_regex -i "whitelist.acl"
>
> Where whitelist.acl content:
> .^familymedicinepr\.com$
> ^mail\.yahoo\.com$
> ^neodecksoftware\.com$
> ^office\.net$
> \.familymedicinepr\.com$
> \.mail\.yahoo\.com$
> \.neodecksoftware\.com$
> \.office\.net$
>
> Jose E Torres
> 939-777-4030
> JET System Services
>
>
> On Wed, Oct 5, 2016 at 5:07 PM, Alex Rousskov
>  wrote:
>> On 10/05/2016 02:59 PM, Jose Torres-Berrocal wrote:
>>> Please confirm equivalence:
>>>
>>> 1.
>>> acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
>>> .neodecksoftware.com .office.net
>>> =
>>> acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
>>> ^neodecksoftware\.com$ ^office\.net$
>>>
>>> OR
>>>
>>> 2.
>>> acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
>>> .neodecksoftware.com .office.net
>>> =
>>> acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
>>> ^neodecksoftware\.com$ ^office\.net$ \familymedicinepr\.com$
>>> \mail\.yahoo\.com$ \neodecksoftware\.com$ \office\.net$
>>
>>
>> Neither pair contains equivalent ACLs. The second attempt was closer to
>> the correct version but you missed the leading "." in the first of the
>> two regular expressions for each domain. For example, it is
>> "\.office\.net$" not "\office\.net$".
>>
>> I also recommend splitting dstdom_regex ACL into multiple lines, one
>> regular expression per line, for readability sake.
>>
>>
>> As others have already recommended, it is best to learn how regular
>> expressions work before proceeding further. They are a very valuable
>> tool for a sysadmin!
>>
>> Alex.
>>
>>
>>> On Wed, Oct 5, 2016 at 4:43 PM, Alex Rousskov wrote:
 To map any leaf FQDN "foo.bar.baz":

   1. start with "^";
   2. add "foo.bar.baz" where every period is escaped with "\";
   3. end with "$".

   In summary, use the following regular expression: ^foo\.bar\.baz$


 To map a whole ".bar.baz" domain, including any subdomains, use the
 following two regular expressions:

   \.bar\.baz$
   ^bar\.baz$

 This untested suggestion is based on how regular expressions work; it
 assumes that Squid does not add anything to the specified expressions.
>>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-05 Thread Alex Rousskov 
On 10/05/2016 02:59 PM, Jose Torres-Berrocal wrote:
> Please confirm equivalence:
> 
> 1.
> acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
> .neodecksoftware.com .office.net
> =
> acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
> ^neodecksoftware\.com$ ^office\.net$
> 
> OR
> 
> 2.
> acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
> .neodecksoftware.com .office.net
> =
> acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
> ^neodecksoftware\.com$ ^office\.net$ \familymedicinepr\.com$
> \mail\.yahoo\.com$ \neodecksoftware\.com$ \office\.net$


Neither pair contains equivalent ACLs. The second attempt was closer to
the correct version but you missed the leading "." in the first of the
two regular expressions for each domain. For example, it is
"\.office\.net$" not "\office\.net$".

I also recommend splitting dstdom_regex ACL into multiple lines, one
regular expression per line, for readability sake.


As others have already recommended, it is best to learn how regular
expressions work before proceeding further. They are a very valuable
tool for a sysadmin!

Alex.


> On Wed, Oct 5, 2016 at 4:43 PM, Alex Rousskov wrote:
>> To map any leaf FQDN "foo.bar.baz":
>>
>>   1. start with "^";
>>   2. add "foo.bar.baz" where every period is escaped with "\";
>>   3. end with "$".
>>
>>   In summary, use the following regular expression: ^foo\.bar\.baz$
>>
>>
>> To map a whole ".bar.baz" domain, including any subdomains, use the
>> following two regular expressions:
>>
>>   \.bar\.baz$
>>   ^bar\.baz$
>>
>> This untested suggestion is based on how regular expressions work; it
>> assumes that Squid does not add anything to the specified expressions.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-05 Thread Jose Torres-Berrocal 
Please confirm equivalence:

1.
acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
.neodecksoftware.com .office.net
=
acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
^neodecksoftware\.com$ ^office\.net$

OR

2.
acl whitelist1 dstdomain .familymedicinepr.com .mail.yahoo.com
.neodecksoftware.com .office.net
=
acl whitelist2 dstdom_regex ^familymedicinepr\.com$ ^mail\.yahoo\.com$
^neodecksoftware\.com$ ^office\.net$ \familymedicinepr\.com$
\mail\.yahoo\.com$ \neodecksoftware\.com$ \office\.net$
Jose E Torres
939-777-4030
JET System Services


On Wed, Oct 5, 2016 at 4:43 PM, Alex Rousskov
 wrote:
> On 10/05/2016 01:15 PM, Jose Torres-Berrocal wrote:
>> I would like to know how
>> I should enter the domains as to make it work correctly using
>> dstdom_regex behaving like dstdomain
>
> To map any leaf FQDN "foo.bar.baz":
>
>   1. start with "^";
>   2. add "foo.bar.baz" where every period is escaped with "\";
>   3. end with "$".
>
>   In summary, use the following regular expression: ^foo\.bar\.baz$
>
>
> To map a whole ".bar.baz" domain, including any subdomains, use the
> following two regular expressions:
>
>   \.bar\.baz$
>   ^bar\.baz$
>
> This untested suggestion is based on how regular expressions work; it
> assumes that Squid does not add anything to the specified expressions.
>
>
> HTH,
>
> Alex.
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-05 Thread Alex Rousskov 
On 10/05/2016 01:15 PM, Jose Torres-Berrocal wrote:
> I would like to know how
> I should enter the domains as to make it work correctly using
> dstdom_regex behaving like dstdomain

To map any leaf FQDN "foo.bar.baz":

  1. start with "^";
  2. add "foo.bar.baz" where every period is escaped with "\";
  3. end with "$".

  In summary, use the following regular expression: ^foo\.bar\.baz$


To map a whole ".bar.baz" domain, including any subdomains, use the
following two regular expressions:

  \.bar\.baz$
  ^bar\.baz$

This untested suggestion is based on how regular expressions work; it
assumes that Squid does not add anything to the specified expressions.


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-05 Thread Jose Torres-Berrocal 
The situation is that I am using squid on the pfsense firewall.  Squid
is available as a package with GUI interface.  The whitelist is part
of the sections provided by the GUI and somehow entering the domains
as a list that I provided it does work for most of the domains but it
fails in others.  The squid.conf is generated by the GUI and uses
dstdom_regex for the whitelist.  It has custom area where I can place
the lines to use dstdomain and it works.  But I would like to know how
I should enter the domains as to make it work correctly using
dstdom_regex behaving like dstdomain

Jose E Torres
939-777-4030
JET System Services


On Wed, Oct 5, 2016 at 12:10 PM, Jok Thuau  wrote:
>
>
> On Tue, Oct 4, 2016 at 6:01 PM, Jose Torres-Berrocal
>  wrote:
>>
>> > /var/squid/acl/whitelist.acl:
>>
>> [snip]
>> >
>> > .assertus.com
>> > .neodecksoftware.com
>>
>>
>> your whitelist for this domain says that it has "something" followed
>> by that domain name...
>>
>> >
>> >
>> > .office.net
>>
>> 1. Each domain is on separate line, why is consider the next line part
>> of the same pattern?
>>
>> in the end, your regular expression doesn't match.
>> "." means "any single character". you should replace that line with
>> something like this:
>> ^neodecksoftware\.com
>>
>> 2. Then I should change each domain line to resemble your suggested
>> pattern?
>>
>> ^assertus\.com
>> ^neodecksoftware\.com
>> ^office\.net
>>
>
> Well, not quite that simple. That pattern will block "www.office.net", which
> is probably not what you want. That pattern would only fix that one i
> mentioned (which doesn't use "www" or anything else in front of the domain).
> The "^" is an anchor for the beginning of the string. that would exclude any
> of the sub-domains.
>
> In the end, I believe Alex's suggestion (to change from dstdom_regex to
> dstdomain will be simpler, and will do what you expect (where if you list
> ".something.tld", it will accept both "www.something.tld" and
> "something.tld"). Refer to the documentation and example to understand how
> that is being handled.
>
> I would suggest you research regular expressions. Visit and play with
> regex101.com -- The explanation panel on the side will do wonders to
> demystify the pattern I provided.
>
> see:
> https://regex101.com/r/hVu6vX/3
>
> Thanks,
> Jok
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-04 Thread Alex Rousskov 
On 10/04/2016 05:16 PM, Jok Thuau wrote:
> On Tue, Oct 4, 2016 at 1:41 PM, Jose Torres-Berrocal wrote:

>> I have some clients that use a program that tries to connect to:
>> https://neodecksoftware.com/NeoMedOnline/NeoMedOnlineService.svc


>> /var/squid/acl/whitelist.acl:

>> .assertus.com
>> .neodecksoftware.com


> your whitelist for this domain says that it has "something" followed by
> that domain name...

Good catch! Actually, the problem is even worse. The dstdom_regex will
match even notneodecksoftwarexcom.org IIRC.


>> acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"

Perhaps the configuration author meant to say dstdomain instead of
dstdom_regex? Are there any intentional regular expressions in
/var/squid/acl/whitelist.acl?

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-04 Thread Jok Thuau 
On Tue, Oct 4, 2016 at 1:41 PM, Jose Torres-Berrocal <
jetsystemservi...@gmail.com> wrote:

> I  do not know the correct terms to the problem I have.
>
> I have some clients that use a program that tries to connect to:
> https://neodecksoftware.com/NeoMedOnline/NeoMedOnlineService.svc
>
>
note that there is nothing between "//" and "neodecksoftware.com"...

[snip]

>
> 
> --
> 1475581614.208  0 192.168.1.20 TCP_DENIED/407 3917 CONNECT
> neodecksoftware.com:443 - HIER_NONE/- text/html
> 1475582327.774  0 192.168.1.20 TCP_DENIED/407 3917 CONNECT
> neodecksoftware.com:443 - HIER_NONE/- text/html
>
>
note that the ACL applies on that connect string. Specifically "
neodecksoftware.com"



> /var/squid/acl/whitelist.acl:
>
[snip]

> .assertus.com
> .neodecksoftware.com


your whitelist for this domain says that it has "something" followed by
that domain name...


>
> .office.net

[snip]


>
> # This file is automatically generated by pfSense
> # Do not edit manually !
>
> http_port 192.168.1.1:3128
> http_port 127.0.0.1:3128
>
[snip]

> acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
>

and your ACL refers to a regular expression...


> http_access allow manager localhost
>
[snip]

> # Always allow access to whitelist domains
> http_access allow whitelist
>

and you allow that whitelist...

in the end, your regular expression doesn't match.
"." means "any single character". you should replace that line with
something like this:
^neodecksoftware\.com

(this is untested).

Note that all your entries need adjusting as well (they may be working, but
not matching the way you think they do).

HTH,
Jok
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Whitelist domain ignored?

2016-10-04 Thread Benjamin E. Nichols 

Yes we can see your messages to the group..

While im responding, this doesnt adress you problem, but we have a free 
whitelist that we maintain you may or may not be interested in, but its 
quite  a bit larger. No adult, and no torrent sites.


http://www.squidblacklist.org/downloads/whitelist.txt




Good Luck!


On 10/4/2016 4:22 PM, Jose Torres-Berrocal wrote:

Just to confirm that I sent the email

Jose E Torres
939-777-4030
JET System Services


On Tue, Oct 4, 2016 at 4:41 PM, Jose Torres-Berrocal
 wrote:

I  do not know the correct terms to the problem I have.

I have some clients that use a program that tries to connect to:
https://neodecksoftware.com/NeoMedOnline/NeoMedOnlineService.svc

Went to the access.log and found the neodecksoftware.com is being
denied even that I have it in a whitelist file.

The below info is the error lines fund, the whitelist file content,
and the squid conf:

--
1475581614.208  0 192.168.1.20 TCP_DENIED/407 3917 CONNECT
neodecksoftware.com:443 - HIER_NONE/- text/html
1475582327.774  0 192.168.1.20 TCP_DENIED/407 3917 CONNECT
neodecksoftware.com:443 - HIER_NONE/- text/html

/var/squid/acl/whitelist.acl:
.familymedicinepr.com
.anydesk.com
.teamviewer.com
.secureserver.net
.gmail.com
.mail.yahoo.com
.outlook.com
.aol.com
.libertypr.net
.coqui.net
.prtc.net
.assertus.com
.neodecksoftware.com
.office.net
.microsoft.com
.office.com
.live.com

# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.1:3128
http_port 127.0.0.1:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname pfsense
cache_mgr jetsystemservi...@gmail.com
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 31
debug_options rotate=31
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/24 127.0.0.0/8
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 512 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB

offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .0  20%  4320


#Remote proxies


# Setup some default acls
# From 3.2 further configuration cleanups have been done to make
things easier and safer. The manager, localhost, and to_localhost ACL
definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128
3129 1025-65535 444
acl sslports port 443 563  444

# From 3.2 further configuration cleanups have been done to make
things easier and safer. The manager, localhost, and to_localhost ACL
definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make
things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings


# Custom options before auth
connect_timeout 2

# Always allow access to whitelist domains
http_access allow whitelist
auth_param basic program /usr/local/libexec/squid/basic_radius_auth -w
Maint4030 -h pfsense -p
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIRED
# Custom options after auth


http_access allow password localnet
# Default block all to be sure
http_access deny allsrc

--

Cordially,
Jose

___
squid-users mailing list
squid-users@lists.squid-cache.org

Re: [squid-users] Whitelist domain ignored?

2016-10-04 Thread Jose Torres-Berrocal 
Just to confirm that I sent the email

Jose E Torres
939-777-4030
JET System Services


On Tue, Oct 4, 2016 at 4:41 PM, Jose Torres-Berrocal
 wrote:
> I  do not know the correct terms to the problem I have.
>
> I have some clients that use a program that tries to connect to:
> https://neodecksoftware.com/NeoMedOnline/NeoMedOnlineService.svc
>
> Went to the access.log and found the neodecksoftware.com is being
> denied even that I have it in a whitelist file.
>
> The below info is the error lines fund, the whitelist file content,
> and the squid conf:
>
> --
> 1475581614.208  0 192.168.1.20 TCP_DENIED/407 3917 CONNECT
> neodecksoftware.com:443 - HIER_NONE/- text/html
> 1475582327.774  0 192.168.1.20 TCP_DENIED/407 3917 CONNECT
> neodecksoftware.com:443 - HIER_NONE/- text/html
>
> /var/squid/acl/whitelist.acl:
> .familymedicinepr.com
> .anydesk.com
> .teamviewer.com
> .secureserver.net
> .gmail.com
> .mail.yahoo.com
> .outlook.com
> .aol.com
> .libertypr.net
> .coqui.net
> .prtc.net
> .assertus.com
> .neodecksoftware.com
> .office.net
> .microsoft.com
> .office.com
> .live.com
>
> # This file is automatically generated by pfSense
> # Do not edit manually !
>
> http_port 192.168.1.1:3128
> http_port 127.0.0.1:3128
> icp_port 0
> dns_v4_first off
> pid_filename /var/run/squid/squid.pid
> cache_effective_user squid
> cache_effective_group proxy
> error_default_language en
> icon_directory /usr/local/etc/squid/icons
> visible_hostname pfsense
> cache_mgr jetsystemservi...@gmail.com
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> cache_store_log none
> netdb_filename /var/squid/logs/netdb.state
> pinger_enable on
> pinger_program /usr/local/libexec/squid/pinger
>
> logfile_rotate 31
> debug_options rotate=31
> shutdown_lifetime 3 seconds
> # Allow local network(s) on interface(s)
> acl localnet src  192.168.1.0/24 127.0.0.0/8
> forwarded_for on
> uri_whitespace strip
>
> acl dynamic urlpath_regex cgi-bin \?
> cache deny dynamic
>
> cache_mem 512 MB
> maximum_object_size_in_memory 256 KB
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> minimum_object_size 0 KB
> maximum_object_size 4 MB
>
> offline_mode off
> cache_swap_low 90
> cache_swap_high 95
> cache allow all
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:1440  20%  10080
> refresh_pattern ^gopher:  1440  0%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
> refresh_pattern .0  20%  4320
>
>
> #Remote proxies
>
>
> # Setup some default acls
> # From 3.2 further configuration cleanups have been done to make
> things easier and safer. The manager, localhost, and to_localhost ACL
> definitions are now built-in.
> # acl localhost src 127.0.0.1/32
> acl allsrc src all
> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128
> 3129 1025-65535 444
> acl sslports port 443 563  444
>
> # From 3.2 further configuration cleanups have been done to make
> things easier and safer. The manager, localhost, and to_localhost ACL
> definitions are now built-in.
> #acl manager proto cache_object
>
> acl purge method PURGE
> acl connect method CONNECT
>
> # Define protocols used for redirects
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
> acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
> http_access allow manager localhost
>
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !safeports
> http_access deny CONNECT !sslports
>
> # Always allow localhost connections
> # From 3.2 further configuration cleanups have been done to make
> things easier and safer.
> # The manager, localhost, and to_localhost ACL definitions are now built-in.
> # http_access allow localhost
>
> request_body_max_size 0 KB
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow allsrc
>
> # Reverse Proxy settings
>
>
> # Custom options before auth
> connect_timeout 2
>
> # Always allow access to whitelist domains
> http_access allow whitelist
> auth_param basic program /usr/local/libexec/squid/basic_radius_auth -w
> Maint4030 -h pfsense -p
> auth_param basic children 5
> auth_param basic realm Please enter your credentials to access the proxy
> auth_param basic credentialsttl 5 minutes
> acl password proxy_auth REQUIRED
> # Custom options after auth
>
>
> http_access allow password localnet
> # Default block all to be sure
> http_access deny allsrc
>
> --
>
> Cordially,
> Jose
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users