[squid-users] URL filtering by group of IP Address
Hi folks, I am using Squid version 2.5.STABLE4-20040212 on redhat linux 9. My current ACL rules are at the end of this mail (with line numbers): What I am trying? I am trying to block access to some sites (i.e. porn, jobs etc) by IP Address group. For url filtering i am using regular expression matching acl. eg. acl porn url_regex -i "/usr/local/squidGuard/porn" [Line no. 9] Here /usr/local/squidGuard/porn file contains single line key worlds. At line no 34 http_access is being denied for any urls listed in porn file (ex. jobs, sex etc) http_access allow porn Now, here is an acl for my entire network [LAN] acl NetUser src 192.168.0.0/16 [Line No 41] #Allowing Web browsing from my local LAN IP's only http_access allow NetUser[Line No 57] As per above ACL's all my LAN user can browse Internet via Squid & get blocked when tries to access restricted sites (site listed in porn file). Everything is working fine and as per my requirement. But, now if i want to form a group of users (by IP Address) by their access rights i.e. power user have no restriction at all (URL should be blocked by porn ACL ?), Normal users have full restriction (which can time be bound also). I have tried to give some user un-restricted privilege fro web browsing (URL shouldn't be blocked by porn ACL. 53 #Un-RE-RESTRICTED INTERNET USERS 54 #acl PWR-NET src 192.168.0.197 192.168.0.54 55 #http_access allow PWR-NET porn Therefore, please suggest how to create acl's for this type of requirement i.e. Some other users can access all site without restriction others can't access restricted sites. In other word how could i restrict some range of IP's from LAN to not able to access web e.g. IP Address from 192.168.0.1 to 192.168.0.100 can access Web Rest can't able to access web. After range blocking, url blocking, authentication and other acl should come under picture after that. Thanks for your help. Regards, navneet Note: if i missed something or you want any more information please revert back asap. 1 auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/password 2 3 auth_param basic realm Squid proxy-caching web server 4 auth_param basic credentialsttl 2 hoursnimum configuration: 5 6 7 8 #Recommended minimum configuration: 9 acl porn url_regex -i "/usr/local/squidGuard/porn" 10 acl all src 0.0.0.0/0.0.0.0 11 acl manager proto cache_object 12 acl localhost src 127.0.0.1/255.255.255.255 13 acl to_localhost dst 127.0.0.0/8 14 acl SSL_ports port 443 563 15 acl Safe_ports port 80 # http 16 acl Safe_ports port 21 # ftp 17 acl Safe_ports port 443 563 # https, snews 18 acl Safe_ports port 70 # gopher 19 acl Safe_ports port 210 # wais 20 acl Safe_ports port 1025-65535 # unregistered ports 21 acl Safe_ports port 280 # http-mgmt 22 acl Safe_ports port 488 # gss-http 23 acl Safe_ports port 591 # filemaker 24 acl Safe_ports port 777 # multiling http 25 acl CONNECT method CONNECT 26 27 #AUTHENTION REQUIRED 28 acl auth proxy_auth REQUIRED 29 30 31 # Only allow cachemgr access from localhost 32 http_access allow manager localhost 33 http_access deny manager 34 http_access deny porn 35 # Deny requests to unknown ports 36 http_access deny !Safe_ports 37 # Deny CONNECT to other than SSL ports 38 http_access deny CONNECT !SSL_ports 39 40 41 acl NetUser src 192.168.0.0/16 42 #acl sucker src 192.168.0.139 192.168.0.161 192.168.0.153 43 acl test src 192.168.0.151 192.168.0.139 192.168.0.161 192.168.0.153 44 acl data src 192.168.0.242 45 46 #denying access by IP Address: 47 http_access deny test 48 49 #Authenticating user by IP Address 50 http_access allow data auth 51 52 53 #Un-RE-RESTRICTED INTERNET USERS 54 #acl PWR-NET src 192.168.0.197 192.168.0.54 55 #http_access allow PWR-NET porn 56 57 http_access allow NetUser 58 59 # And finally deny all other access to this proxy 60 http_access deny all 61 62 http_reply_access allow all
Re: [squid-users] What does I get a ntlmauthenticator helpers are crashing too rapidly mean?
No output ? please copy paste error output for debugging. On 5/31/05, Gary Hostetler <[EMAIL PROTECTED]> wrote: > Anyone know what this error message means when I try to squid -NCd1? > > Thanks > gary > >
Re: [squid-users] Urgent: help on TCP_DENIED/400
>On 4/15/05, tony vong <[EMAIL PROTECTED]> wrote: > Yes. I try to set up a transparent proxy. I did not > configure any proxy on my web broswer client, if > that's what you are asking. What do I have to do to > get this work ? Read http://tldp.org/HOWTO/TransparentProxy.html For impatient :- Now, we need to edit the default squid.conf file (installed to /usr/local/squid/etc/squid.conf, unless you changed the defaults). The squid.conf file is heavily commented. In fact, some of the best documentation available for squid is in the squid.conf file. After you get it all up and running, you should go back and reread the whole thing. But for now, let's just get the minimum required. Find the following directives, uncomment them, and change them to the appropriate values: * httpd_accel_host virtual * httpd_accel_port 80 * httpd_accel_with_proxy on * httpd_accel_uses_host_header on To set up the rules, you will need to know two things, the interface that the to-be-proxied requests are coming in on (I'll use eth0 as an example) and the port squid is running on (I'll use the default of 3128 as an example). Now, the magic words for transparent proxying: * iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Eable IP forwarding # echo '1' > /proc/sys/net/ipv4/ip_forward add above line in rc.local. NOTE: Applicable only to a sucessfully running squid installation. NOTICE: Above text copied from tldp.org Rgds, navneet > --- Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > > > > > > On Thu, 14 Apr 2005, tony vong wrote: > > > > > > > > my machine squid box internet > > > > > > I install SQUID on a linux box. I cannot seem to > > be > > > able to get through the squid box. It seems it > > > replaces all the URL's with '/' !!! How do I fix > > this > > > ? > > > > Are you attempting to set up a transparently > > intercepting proxy, hijacking > > the browsers attempts to talk to port 80 on the > > Internet? > > > > If so see the Squid FAQ for required configuration > > details. > > > > Regards > > Henrik > > > > __ > Do you Yahoo!? > Yahoo! Small Business - Try our new resources site! > http://smallbusiness.yahoo.com/resources/ >
Re: [squid-users] ugent help needed
> hi list Hello, > Feb 27 04:41:35 mcache (squid): logfileWrite: /var/log/squid/access.log: > (42) No message of desired type > Feb 27 04:41:40 mcache (squid): logfileWrite: /var/log/squid/access.log: > (28) No space left on device Run squid in debugging mode # /usr/local/squid/bin/squid -NCd1 what's output ? Do have quota implemented on your squid box? check cache size by #du -sh /path/of/squid/cache or just run #df -h Still squid daemon dies :- Try to reduce cache_dir, it seems Squid is not purging any files on startup. then run #squid -z after reduced cache_dir? NOTE: Won't this erase *ALL* of my cache contents? No comments > Feb 27 04:41:55 mcache last message repeated 4 times > Feb 27 04:41:55 mcache squid[617]: Exiting due to repeated, frequent > failures > Feb 27 09:33:39 mcache (squid): logfileWrite: /var/log/squid/access.log: > (42) No message of desired type > Feb 27 09:33:44 mcache (squid): logfileWrite: /var/log/squid/access.log: > (28) No space left on device > Feb 27 09:33:57 mcache last message repeated 4 times > Feb 27 09:33:57 mcache squid[3691]: Exiting due to repeated, frequent > failures > > ugent help will be greatly appreciated > > regards > >
Re: [squid-users] squid + gmail ???
check whether you have opened HTTPS [443] port or not? Try browsing any secure site[that require secure communication httpS]. i.e any banking Or e-commerce. I don't think gmail.com & google.com both being blocked by any ACL . [If you are bocking anything & everything starting from alphabet g, using regular expression[regress]] gmail.com problem may be arising due browser being not supported by gmail!. Please use IE6,Netscape 4+,Firefox 1.0 etc. But most importatnt thing >>More info = better chance someone can help you :) On Wed, 23 Feb 2005 10:39:29 +1100, James Gray <[EMAIL PROTECTED]> wrote: > On Wed, 23 Feb 2005 08:55 am, UnIData wrote: > > I configured squid and all ok, but can't access to gmail.com and > > google.com from clients, what is the problem and the solution please > > Is there a reason you posted this question 3 times in 5 minutes? > > What error (exaclty)? Is it being generated by squid or your browser? What > browser? Have you checked squid's access.log to see if the client is > actually using the squid server? What ACL's have you defined - is there a > "deny" rule that's not behaving as you expected? > > More info = better chance someone can help you :) > > Cheers, > > James >
[squid-users] Linux as router (Gateway Server)
hi list, i require help yours side. Squid Server is serving as Proxy server, Gateway & Firewall Problem: Squid daemon dies at startup. Here is log output of /var/log/messages Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started Feb 12 09:15:25 squid (squid): Cannot open HTTP Port Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722 exited due to signal 6 Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 exited with status 1 Feb 12 09:15:33 squid (squid): Cannot open HTTP Port Why my iptables rule blocking squid to open HTTP port. Note: existing rule being attached at the end of mail Since, process will not die if I disable/flush my rules? Squid being started from /etc/rc.local Where i am doing mistakes? Please suggest since its causing startup hiccup Thanks & regards, Navneet Choudhary Updates & quick recap 1.> Basically I want clients to be able to : a). Send and receives mails from mail.ISP.net [X.X.X.X] and sometimes from X.X.X.X Status: Working b). Browse the net through squid [3128] Status: Working c). Use Jabber [??], MSN [1863] and Yahoo [5050] Status: Working d) Down and upload data using ftp from X.X.X.K & X.X.X.Z Status: Working e) Down and upload data using SONICMQ [IP & Port?] Status: Require HELP e) Allow SSH connection to this system [eth0]. Status: Working f) We can ping/trace route by domain name i.e. ping yahoo.com Status: Working 2.What i am using? My network configuration is as follows: - WAN | eth1 (172.21.0.133/28) | | Red Hat 9 [Squid Proxy, Gateway ,firewall & FTP] | | | (192.168.0.0/16) eth0 | SWITCH-- | | | LAN where:- eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100] eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet Kernel 2.4.20-8 iptables v1.2.7a 3.What I have done:- a)Enabled IP forwarding by adding vi /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1 b)Automatic loading of modules by adding vi /etc/rc.local /sbin/insmod ip_nat_ftp /sbin/insmod ip_conntrack_ftp b)Firewall rules as follows:- # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 *mangle :PREROUTING ACCEPT [1308:428675] :INPUT ACCEPT [1308:428675] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1273:553710] :POSTROUTING ACCEPT [1273:553710] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT # Completed on Thu Feb 10 20:02:43 2005 # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 *nat :PREROUTING ACCEPT [10233:846887] :POSTROUTING ACCEPT [71:4821] :OUTPUT ACCEPT [67:4688] -A POSTROUTING -s 192.168.0.0/255.255.0.0 -o eth1 -j SNAT --to-source 172.21.0.132 COMMIT # Completed on Thu Feb 10 20:02:43 2005 # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -p udp -j DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tc