Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 784
  • Last Modified:

squid

i have squid running on a fedora box. i want to make an entry in the squid.conf to allow everything and then have a block list - so kind of the opposite of what i currently have - for example one of my entries looks like this.

# walkup kiosk
acl blockedsites src 172.16.26.100
acl oksites dstdomain "/etc/squid/allowedsites.acl"
http_access allow blockedsites oksites

I'm just not sure what the syntax would be. any ideas?
0
JeffBeall
Asked:
JeffBeall
  • 4
  • 3
  • 2
  • +1
3 Solutions
 
robocatCommented:

http_access deny blockedsites
http_access allow all

(the order of these is important, first block specific things, then allow the rest)

0
 
arnoldCommented:
Could you clarify what you are doing?
Is this a reverse proxy configuration?
I.e. you have the squid proxy listening on port 80 as though it is a web server and then passes the requests to the real web server? And what you want to do is control based on the source of the request what sites they can and can not access?

If you allow first, the deny is never seen/checked within squid.
The rule flow is top down,
check match (allow/deny) fallthrough if no match, enforce the action
check match (allow/deny) fallthrough
acl oksites url_regex -i "/etc/squid/allowedsites" #where the allowedsites are a domain per line
allowdomain1.com
allowdomain2.com


the format of the rule would be
http_access allow oksites source_of_request
http_access deny oksites
0
 
JeffBeallAuthor Commented:
this sounds like what i want, but in the following

http_access deny blockedsites
http_access allow all

after deny - would i have to tell squid where blockedsites is? I mean isn't blockedsites a list? do i need to begin these line with acl?
also, how could i use the above command on a block of ip's?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
arnoldCommented:
The problem is that you have defined blockedsites as a network IP.
acl blockedsites src 172.116.26.100
you can deny it access while allowing all else
http_access deny blockedsites
http_access allow  all


Double check what it is you want to block and to where.

0
 
JeffBeallAuthor Commented:
" The problem is that you have defined blockedsites as a network IP."

i am new to squid - and the vast majority of my entries in squid.conf is the result of google. so if that entry isn't correct i have no problem removing it.
mostly i want to allow access to everything but a list of blocked sites - i would like a list so that as needed i could just add to the list and restart the squid service.
0
 
robocatCommented:

Suppose you want to block access to facebook and youtube:

acl blockedsites dstdomain .facebook.com .youtube.com

or

acl blockedsites dstdomain "/etc/squid/blockedsites.txt"

and put the forbidden sites in that text file.

0
 
JeffBeallAuthor Commented:
so it would be

acl blockedsites dstdomain "/etc/squid/blockedsites.txt"
http_access allow all

?
0
 
robocatCommented:

acl blockedsites dstdomain "/etc/squid/blockedsites.txt"
http_access deny blockedsites
http_access allow all
0
 
mccrackyCommented:
Just remember that you would need to have squid reread the configuration if you wanted to add sites to the "/etc/squid/blockedsites.txt" file (squid -k reconfigure).  It wouldn't be automatically reread.  
0
 
JeffBeallAuthor Commented:
thank you! this worked perfectly.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now