Re: [squid-users] allow certian user ips to access only 2 domains and disallow everything
Hey Simon, I have seen these websites and it seems that some content which is used in them is from CDNs or other domains. It’s very important to include specific domains like in the url: https://code.jquery.com/jquery-3.3.1.min.js For these sites to work properly. You can try to run a more complex config which can or might take into account the Referrer header in the Request It will probably only work if SSL bump is configured in your setup and it’s not the most secure way to allow sites. I am only offering this as a it can be limited to specific domains such as cdns or specific hosted services. All The Bests, Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: <mailto:ngtech1...@gmail.com> ngtech1...@gmail.com From: squid-users On Behalf Of simon ben Sent: Friday, October 16, 2020 12:21 PM To: squid-users@lists.squid-cache.org Subject: [squid-users] allow certian user ips to access only 2 domains and disallow everything I have squid running perfectly fine on centos 7 64 bit with no issues I want to allow certain user ips to access a few sites and block everything else so below is the config the sites are 1) paloaltonetworks.com 2) redcloak.secureworks.com in squid.conf --- acl userlist src "/etc/squid/userlist" acl sitelist dstdomain "/etc/squid/sitelist" http_access allow userlist sitelist --- user list file has the ips --- 192.168.62.128 192.168.62.1 192.168.62.129 192.168.61.1 192.168.62.130 192.168.62.3 192.168.61.128 172.16.120.160 -- site list file has the sites .paloaltonetworks.com .secureworks.com https://ch-baladia.traps.paloaltonetworks.com baladia.xdr.eu.paloaltonetworks.com identity.paloaltonetworks.com login.paloaltonetworks.com assets.adobedtm.com www.paloaltonetworks.com <http://www.paloaltonetworks.com> redcloak.secureworks.com I see that the first page and some links are working but some do not . also there is a huge deny logs in squid access logs appreciate if you can advise me on how i can have the above access list so as to have minimum denies when being accessed from the above ips Thanks and Regards simon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] allow certian user ips to access only 2 domains and disallow everything
Dear Amos, Thanks for the quick replywill check and let you know regards simon On Saturday, October 17, 2020, 06:06:13 AM GMT+3, Amos Jeffries wrote: On 16/10/20 10:21 pm, simon ben wrote: > I have squid running perfectly fine on centos 7 64 bit with no issues > I want to allow certain user ips to access a few sites and block > everything else so below is the config > the sites are > 1) paloaltonetworks.com > 2) redcloak.secureworks.com > Notice the sitelist file contains the entire range of *.secureworks.com domains and some others. > in squid.conf > --- > acl userlist src "/etc/squid/userlist" > acl sitelist dstdomain "/etc/squid/sitelist" # allow certain user ips to access a few sites > http_access allow userlist sitelist > # ... and block everything else ?? nothing specified for that part of your policy. So, you need to followup with either: http_access deny all or, http_access deny userips > --- > > user list file has the ips > --- > 192.168.62.128 > 192.168.62.1 > 192.168.62.129 > 192.168.61.1 > 192.168.62.130 > 192.168.62.3 > 192.168.61.128 > 172.16.120.160 > -- > Er, these are not "users" these are IP addresses. Aka clients. The difference is important because one machine/IP can be used by multiple users. There is no difference to the proxy whether the IP is switched between users or shared by multiple simultaneously. Also, sorting the file can ease management. There are some entries which could be represented by a IP-range for more efficient matching instead of listed individually. > site list file has the sites > > .paloaltonetworks.com > .secureworks.com > https://ch-baladia.traps.paloaltonetworks.com > baladia.xdr.eu.paloaltonetworks.com > identity.paloaltonetworks.com > login.paloaltonetworks.com > assets.adobedtm.com > www.paloaltonetworks.com > redcloak.secureworks.com > > > > I see that the first page and some links are working but some do not . Only the first two lines of that file are "sites". The third is a URL. This will never match with dstdomain. The rest are individual domains. They will only match the one domain within their site. Also, most of your entries are sub-domains of the sites listed on the first lines. The contents of this file redux to: .paloaltonetworks.com .secureworks.com assets.adobedtm.com However, your stated policy says that it should only contain: .paloaltonetworks.com .redcloak.secureworks.com Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] allow certian user ips to access only 2 domains and disallow everything
On 16/10/20 10:21 pm, simon ben wrote: > I have squid running perfectly fine on centos 7 64 bit with no issues > I want to allow certain user ips to access a few sites and block > everything else so below is the config > the sites are > 1) paloaltonetworks.com > 2) redcloak.secureworks.com > Notice the sitelist file contains the entire range of *.secureworks.com domains and some others. > in squid.conf > --- > acl userlist src "/etc/squid/userlist" > acl sitelist dstdomain "/etc/squid/sitelist" # allow certain user ips to access a few sites > http_access allow userlist sitelist > # ... and block everything else ?? nothing specified for that part of your policy. So, you need to followup with either: http_access deny all or, http_access deny userips > --- > > user list file has the ips > --- > 192.168.62.128 > 192.168.62.1 > 192.168.62.129 > 192.168.61.1 > 192.168.62.130 > 192.168.62.3 > 192.168.61.128 > 172.16.120.160 > -- > Er, these are not "users" these are IP addresses. Aka clients. The difference is important because one machine/IP can be used by multiple users. There is no difference to the proxy whether the IP is switched between users or shared by multiple simultaneously. Also, sorting the file can ease management. There are some entries which could be represented by a IP-range for more efficient matching instead of listed individually. > site list file has the sites > > .paloaltonetworks.com > .secureworks.com > https://ch-baladia.traps.paloaltonetworks.com > baladia.xdr.eu.paloaltonetworks.com > identity.paloaltonetworks.com > login.paloaltonetworks.com > assets.adobedtm.com > www.paloaltonetworks.com > redcloak.secureworks.com > > > > I see that the first page and some links are working but some do not . Only the first two lines of that file are "sites". The third is a URL. This will never match with dstdomain. The rest are individual domains. They will only match the one domain within their site. Also, most of your entries are sub-domains of the sites listed on the first lines. The contents of this file redux to: .paloaltonetworks.com .secureworks.com assets.adobedtm.com However, your stated policy says that it should only contain: .paloaltonetworks.com .redcloak.secureworks.com Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] allow certian user ips to access only 2 domains and disallow everything
I have squid running perfectly fine on centos 7 64 bit with no issuesI want to allow certain user ips to access a few sites and block everything else so below is the configthe sites are 1) paloaltonetworks.com2) redcloak.secureworks.com in squid.conf---acl userlist src "/etc/squid/userlist"acl sitelist dstdomain "/etc/squid/sitelist"http_access allow userlist sitelist --- user list file has the ips--- 192.168.62.128192.168.62.1192.168.62.129192.168.61.1192.168.62.130192.168.62.3192.168.61.128172.16.120.160-- site list file has the sites.paloaltonetworks.com.secureworks.comhttps://ch-baladia.traps.paloaltonetworks.combaladia.xdr.eu.paloaltonetworks.comidentity.paloaltonetworks.comlogin.paloaltonetworks.comassets.adobedtm.comwww.paloaltonetworks.comredcloak.secureworks.com I see that the first page and some links are working but some do not . also there is a huge deny logs in squid access logsappreciate if you can advise me on how i can have the above access list so as to have minimum denies when being accessed from the above ips Thanks and Regards simon ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users