[squid-users] Website is not displayed correctly
Hi List, We are running Squid Proxy on Transparent mode and we have encountered a problem recently on accessing the http://www.grasshopper3d.com/ website wherein the site is not displayed correctly. Like images on that website are not displayed and text are not formatted. I did try also accessing the site on my extra router and it the site is displayed correctly. What do you think is causing the problem? Regards, Malvin
Re: [squid-users] Website is not displayed correctly
Thanks. Can you show me a sample code please. Regards, Malvin On 8/18/2011 5:09 PM, bilalma...@gmail.com wrote: You can make no cache site list, and add this website to the list. --Original Message-- From: Malvin Rito To: squid-users@squid-cache.org ReplyTo: mr...@mail.altcladding.com.ph Subject: [squid-users] Website is not displayed correctly Sent: Aug 18, 2011 12:03 PM Hi List, We are running Squid Proxy on Transparent mode and we have encountered a problem recently on accessing the http://www.grasshopper3d.com/ website wherein the site is not displayed correctly. Like images on that website are not displayed and text are not formatted. I did try also accessing the site on my extra router and it the site is displayed correctly. What do you think is causing the problem? Regards, Malvin Best Regards ~ Bilal J.Mahdi Sat-Link Inc
[squid-users] Traffic Monitoring
Hi List, I'm currently using Squid as Transparent Proxy, I did able to view or monitor HTTP traffic not all like HTTPS, FTP. Can anyone assist me on how I can monitor all the traffic that comes out of my network? Regards, Malvin
Re: [squid-users] Block HTTPS website
Thanks Amos. By the way my squid is currently setup as a Transparent Proxy do you think it will block HTTPS connections? How? Sorry I was just not too familiar with Squid config. Regards, Malvin On 5/20/2011 9:06 PM, Amos Jeffries wrote: On 20/05/11 21:54, Malvin Rito wrote: Here is my config: Okay, should have worked where you placed it. What you need to do is add .facebook.com on a line in /etc/squid/restricted-sites.acl That will block facebook.com access for both HTTP and HTTPS with your config. The . at the start of the value is important. Also, check that there is no .com or .facebook.com entry in /etc/squid/whitelist.acl NOTE: Blocking HTTPS only works if the browser is passing HTTPS through Squid. If the browser is going directly to port 443 on its own, Squid cannot help. The config as a whole has a lot of speed problems. The rest of this mail is some extra hints about changes that will speed up the proxy ... snip #Allow certain Host on denied site acl NO_RESTRICTIONS src 172.16.9.52 acl NO_RESTRICTIONS src 172.16.9.121 acl NO_RESTRICTIONS src 172.16.9.199 acl NO_RESTRICTIONS src 172.16.9.106 acl NO_RESTRICTIONS src 172.16.9.122 acl NO_RESTRICTIONS src 172.16.9.100 acl NO_RESTRICTIONS src 172.16.9.244 acl NO_RESTRICTIONS src 172.16.9.241 acl NO_RESTRICTIONS src 172.16.9.239 acl NO_RESTRICTIONS src 172.16.9.19 # IP Address assigned to # unblock some sites during launch time acl LUNCHTIME time MTWHFSA 12:01-13:00 acl OFFICEHOUR1 time MTWHFSA 13:01-23:59 acl OFFICEHOUR2 time MTWHFSA 00:01-12:00 no_cache deny all no_cache is obsolete. If you want to not cache, change it to cache deny all. If you want Squid to optimize speed a bit by caching some items for fast re-use remove the line. acl whitelist dstdomain /etc/squid/whitelist.acl snip #Block Restricted Websites by Domain Name acl BadSites dstdomain /etc/squid/restricted-sites.acl deny_info ERR_BLOCKED_SITES BadSites snip #Block Restricted Websites by IP Address acl BadSitesIP dstdomain /etc/squid/restricted-IPaddress.acl deny_info ERR_BLOCKED_SITES BadSitesIP You can drop the BadSitesIP ACL entirely. Add this instead: acl BadSites dstdomain /etc/squid/restricted-IPaddress.acl NP: there are also http_access changes which need to happen with that name change. snip http_access allow whitelist I assume NO_RESTRICTIONS means you want those hosts not to be restricted. To do that you want to put this line here: http_access allow NO_RESTRICTIONS ..' then you can remove it from all the later http_access lines: http_access deny blockfiles !NO_RESTRICTIONS http_access deny BadSites OFFICEHOUR1 !NO_RESTRICTIONS http_access deny BadSites OFFICEHOUR2 !NO_RESTRICTIONS #http_access deny restricted_HTTPS_sites OFFICEHOUR1 #http_access deny restricted_HTTPS_sites OFFICEHOUR2 http_access allow BadSites LUNCHTIME !NO_RESTRICTIONS http_access deny BadSitesIP !NO_RESTRICTIONS http_access deny BlockSite_ByKeyword !NO_RESTRICTIONS snip Those few dozen Team http_access lines can be combined into one single ACL. Like this: #Joy Team acl RestrictedHost src 172.16.9.82 # jcpinto acl RestrictedHost src 172.16.9.86 # _mmvillar acl RestrictedHost src 172.16.9.116 # _djcarino #nINETH Team acl RestrictedHost src 172.16.9.85 # _ebinay #Thes Team #acl RestrictedHost src 172.16.9.90 # _aaquino acl RestrictedHost src 172.16.9.91 # _rbasa acl RestrictedHost src 172.16.9.81 # _jbadong acl RestrictedHost src 172.16.9.104 # _dbalino #acl RestrictedHost src 172.16.9.115 # _rfrancisco #Richard A. Team #acl RestrictedHost src 172.16.9.101 # _raraw acl RestrictedHost src 172.16.9.35 # _lmusni acl RestrictedHost src 172.16.9.100 # _mmendoza #Jhun Team acl RestrictedHost src 172.16.9.119 # _jcruzado acl RestrictedHost src 172.16.9.109 # _glustre acl RestrictedHost src 172.16.9.111 # _jrmaganis acl RestrictedHost src 172.16.9.252 # _earellano acl RestrictedHost src 172.16.9.80 # _jmprimicias #Ranel Team acl RestrictedHost src 172.16.9.114 # _jbautista acl RestrictedHost src 172.16.9.117 # _jlmallari acl RestrictedHost src 172.16.9.118 # _dcuna #Marge Team acl RestrictedHost src 172.16.9.92 # _vescolano #acl RestrictedHost src 172.16.9.87 # _eselda http_access deny RestrictedHost Taddah! about 15 times faster. snip # END OF ALT CLADDING, INC. ACL DEFINITION--- acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network Hmm, you can drop the localnet ACL completely. You defined it already with your own name of lan. # acl TOR_PORT1 port 9001 acl TOR_PORT2
Re: [squid-users] Block HTTPS website
Thanks, Could you send me a procedure on how to do this via Redhat box firewall. Regards, Malvin On 5/23/2011 8:04 PM, Amos Jeffries wrote: On 23/05/11 22:15, Malvin Rito wrote: Thanks Amos. By the way my squid is currently setup as a Transparent Proxy do you think it will block HTTPS connections? How? Yes. In a manner of speaking anyway. Intercepting HTTPS into the proxy will break low-level details of the SSL. The request will be blocked by SSL failures. Squid requires some advanced and dangerous config to make HTTPS interception work (barely). With a transparent interception proxy your firewall is the place to be blocking HTTPS traffic. Amos
[squid-users] Block HTTPS website
Hi List, I want to block some websites (e.g. https://www.facebook.com) but unfortunately I cannot do it using acl dstdomain Can anyone help me please. Thanks in advance. Malvin
Re: [squid-users] Block HTTPS website
Hi Jason, I tried it but only block sites using http not https on the URL. Regards, Malvin On 5/20/2011 4:48 PM, Jason Doran wrote: Hi Malvin. we are blocking facebook here with dstdom_regex: acl my-desktop src 10.10.10.10/32 acl facebook dstdom_regex -i facebook.com http_access deny my-desktop facebook # Give user a custom page deny_info local_ERR_FACEBOOK_DENIED facebook # On RHEL6 - squid-3.1.4-1.el6.x86_64 # /usr/share/squid/errors/templates/local_ERR_FACEBOOK_DENIED Regards, Jason On 20 May 2011, at 09:23, Malvin Rito wrote: Hi List, I want to block some websites (e.g. https://www.facebook.com) but unfortunately I cannot do it using acl dstdomain Can anyone help me please. Thanks in advance. Malvin
Re: [squid-users] Block HTTPS website
src 192.168.0.0/16# RFC1918 possible internal network # acl TOR_PORT1 port 9001 acl TOR_PORT2 port 9030 acl TOR_PORT3 port 9051 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT # TAG: http_access #Allowing or Denying access based on defined access lists # #Access to the HTTP port: #http_access allow|deny [!]aclname ... # #NOTE on default values: # #If there are no access lines present, the default is to deny #the request. # #If none of the access lines cause a match, the default is the #opposite of the last line in the list. If the last line was #deny, the default is allow. Conversely, if the last line #is allow, the default will be deny. For these reasons, it is a #good idea to have an deny all or allow all entry at the end #of your access lists to avoid potential confusion. # #Default: # http_access deny all # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny TOR_PORT1 http_access deny TOR_PORT2 http_access deny TOR_PORT3 http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet # And finally deny all other access to this proxy # - # DEFINED FOR ALT CLADDING http_access allow localhost http_access allow lan # - http_access deny all On 5/20/2011 5:21 PM, Amos Jeffries wrote: On 20/05/11 21:07, Malvin Rito wrote: Hi Jason, I tried it but only block sites using http not https on the URL. You keep failing to say what your config actually is. Only that the one way we know *does* work is not working for you. So we cannot really help. Details please. Regards, Malvin On 5/20/2011 4:48 PM, Jason Doran wrote: Hi Malvin. we are blocking facebook here with dstdom_regex: acl my-desktop src 10.10.10.10/32 acl facebook dstdom_regex -i facebook.com lol. Visit this URL: http://ffacefaceafacebookfacecfacegebookwfacebookacomacomwwoof.example.com/ go ahead, try it. A working facebook block will display a pages explaining that example.com is reserved by IANA. Hint: use dstdomain to match domain names. dstdom_regex is only very useful when fighting random patterned or multi-TLD domains. Amos
[squid-users] Traffic Management Addon for Squid
Hi List, Is there any Add-on or utility for squid to manage, monitor and prioritize traffic? If there is please advise. Many Thanks. Malvin
[squid-users] RE: Trunk grouping
Hi List, Were upgrading our network switches and need to create multiple VLAN groups, but since our Squid Proxy (Transparent Proxy) Server should be accessible to all VLAN groups we need to setup a trunk grouping inside our Squid Proxy Box. I have a VLAN capable switch to manage and create the VLAN. Since the Squid box is the one providing internet connection to all users on different VLAN groups, Squid should be accessible on different VLAN group. Is anyone has a documentation or code on how to implement trunk grouping? Your thoughts will be highly appreciated. Regards, Malvin
[squid-users] Allow downloading EXE files from specific site only
Hi List, We been running Squid Proxy 3.0 for 1 year now and there were some issues wherein some of our clients PC need to be allowed to download *.EXE files from specific site (e.g. autodesk.com website). Since we already BLOCKED files including downloading EXE files from our squid config, is there any way we can allow not blocking EXE files from specific website or domain? I appreciate your help in advance. Regards, Malvin
RE: [squid-users] Blocking SSL Port does not work
Thanks. But how can I implement SSLBump to block port 443 for only specific websites such as blocking Proxy Sites which use https? -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, July 06, 2010 5:24 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Blocking SSL Port does not work On 05.07.10 18:24, Malvin Rito wrote: I'm trying to block SSL port 443 on my squid server but no luck on several tries. My squid Server is running Transparent Mode. You must block port 443 on your firewall, not on squid. If you intent to block port 443, it's useless to redirect it to squid. If you want to intercept port 443, you should know thatit's called man-in-the-middle attack since the traffic is encrypted between browser and server. While newest squid supports this by using SSLBump feature, browers can detect that you did this because the squid's certificate won't match the server name. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
[squid-users] Blocking SSL Port does not work
Hi, I'm trying to block SSL port 443 on my squid server but no luck on several tries. My squid Server is running Transparent Mode. Thanks, Malvin