Re: [squid-users] Allow MSN messenger
Which all looks ok, but is there an "http_access" that allows anything other than the "CONNECT" method, such as: http_access allow MSN_hosts http_access allow MSN_domains http_access allow MSN_net Not to mention any other sites / hosts / ports (Such as port 80) before the "http_access deny all", because whenever stacking ACL's there is an implied "AND" operator, so each line only works like this: "Method is CONNECT" AND "Ports" AND "Destination is " Otherwise DENY ALL is the likely culprit. >>> David Touzeau 2/8/2011 1:22 PM >>> Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass trough squid According wikis i did this : # Permit MSN acl MSN_ports port 1863 443 1503 acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com acl MSN_hosts dstdomain messenger.hotmail.com acl MSN_nets dst 207.46.111.0/255.255.255.0 acl MSN_methods method CONNECT http_access allow MSN_methods MSN_ports MSN_hosts http_access allow MSN_methods MSN_ports MSN_domains http_access allow MSN_methods MSN_ports MSN_net But MSN still did want to connect with these errors: 192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 1662 TCP_MISS:DIRECT 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 1662 TCP_MISS:DIRECT 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 1662 TCP_MISS:DIRECT Where i'm wrong ?? Best regards Travel Impressions made the following annotations - "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
RE: [squid-users] Allow MSN messenger
Le mardi 08 février 2011 à 20:32 +0200, Bilal J.Mahdi a écrit : > Dear david > > Why u wana allow MSN messenger pass trough squid. Ley msn go direct and only > pass the port 80 trough squid. > > > -Original Message- > From: David Touzeau [mailto:da...@touzeau.eu] > Sent: Tuesday, February 08, 2011 8:22 PM > To: squid-users@squid-cache.org > Subject: [squid-users] Allow MSN messenger > > > Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass > trough squid > > According wikis i did this : > > # Permit MSN > acl MSN_ports port 1863 443 1503 > acl MSN_domains > dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com > .passport.com > acl MSN_hosts dstdomain messenger.hotmail.com > acl MSN_nets dst 207.46.111.0/255.255.255.0 > acl MSN_methods method CONNECT > > > http_access allow MSN_methods MSN_ports MSN_hosts > http_access allow MSN_methods MSN_ports MSN_domains > http_access allow MSN_methods MSN_ports MSN_net > > But MSN still did want to connect with these errors: > > 192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > > Where i'm wrong ?? > > Best regards > Thanks to answer me 80 is blocked by the firewall
Re: [squid-users] Allow MSN messenger
Le mardi 08 février 2011 à 13:35 -0500, Chad Naugle a écrit : > Which all looks ok, but is there an "http_access" that allows anything > other than the "CONNECT" method, such as: > > http_access allow MSN_hosts > http_access allow MSN_domains > http_access allow MSN_net > > Not to mention any other sites / hosts / ports (Such as port 80) before > the "http_access deny all", because whenever stacking ACL's there is an > implied "AND" operator, so each line only works like this: > > "Method is CONNECT" AND "Ports" AND "Destination is " > > Otherwise DENY ALL is the likely culprit. > > > >>> David Touzeau 2/8/2011 1:22 PM >>> > > Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass > trough squid > > According wikis i did this : > > # Permit MSN > acl MSN_ports port 1863 443 1503 > acl MSN_domains > dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com > .passport.com > acl MSN_hosts dstdomain messenger.hotmail.com > acl MSN_nets dst 207.46.111.0/255.255.255.0 > acl MSN_methods method CONNECT > > > http_access allow MSN_methods MSN_ports MSN_hosts > http_access allow MSN_methods MSN_ports MSN_domains > http_access allow MSN_methods MSN_ports MSN_net > > But MSN still did want to connect with these errors: > > 192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > > Where i'm wrong ?? > > Best regards > > > This is the entire content of the squid.conf if you see something wrong, let me know acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.1/32 acl manager proto cache_object auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds #- TWEEKS PERFORMANCES # http://blog.last.fm/2007/08/30/squid-optimization-guide memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #- squidGard #IS C-ICAP enabled = 1 redirect_program /usr/bin/squidGuard redirect_children 20 #- SQUID PARENTS (feature not enabled) #- acls acl blockedsites url_regex "/etc/squid3/squid-block.acl" acl CONNECT method CONNECT acl purge method PURGE acl FTP proto FTP acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$ acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$ acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$ acl multimedia_rep rep_mime_type -i ^image/ acl multimedia_rep rep_mime_type -i ^video acl multimedia_rep rep_mime_type -i ^audio acl multimedia_rep rep_mime_type -i ^application/x-dvi$ acl multimedia_rep rep_mime_type -i ^application/x-isoview acl multimedia_browsers browser -i ^Windows-Media-Player.* -i ^.*player.* acl bigfiles_types urlpath_regex -i \.deb$ acl bigfiles_types urlpath_regex -i \.rpm$ acl bigfiles_types urlpath_regex -i \.iso$ acl bigfiles_types urlpath_regex -i \.tar\.gz$ acl bigfiles_types urlpath_regex -i \.gz$ acl bigfiles_types urlpath_regex -i \.bz$ acl bigfiles_types urlpath_regex -i \.tar$ acl bigfiles_types urlpath_regex -i \.cue$ acl bigfiles_types urlpath_regex -i \.nrg$ acl bigfiles_types urlpath_regex -i \.crf$ acl bigfiles_types urlpath_regex -i \.bwi$ acl bigfiles_types urlpath_regex -i \.bwt$ acl bigfiles_types urlpath_regex -i \.lcd$ acl bigfiles_types urlpath_regex -i \.ccd$ acl bigfiles_types urlpath_regex -i \.mdf$ acl bigfiles_types urlpath_regex -i \.mds$ acl bigfiles_types urlpath_regex -i \.vcd$ acl bigfiles_types urlpath_regex -i \.cif$ acl bigfiles_types urlpath_regex -i \.vdi$ acl bigfiles_types urlpath_regex -i \.img$ acl office_network src 192.168.82.0/24 #- MAIN RULES... always_direct allow FTP # - SAFE ports acl Safe_ports port 1443#FortiPartner acl Safe_ports port 80 #http acl Safe_ports port 443 #https acl Safe_ports port 21 #ftp acl Safe_ports port 1863#MSN acl Safe_ports port 20 #ftp-data# acl SSL_ports port 9000 #Artica acl SSL_ports port 443 #HTTPS acl SSL_ports port 563 #https, snews acl SSL_ports port 6667 #tchat acl SSL_ports port 4343 #FortiGate # Permit MSN acl MSN_ports port 1863 443 1503 acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com acl MSN_hosts dstdomain messenger.hotmail.com acl MSN_nets dst 207.46.111.0/255.255.255.0 acl MSN_methods method CONNECT acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video \/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg| application\/ogg) $ # - RULES DEFINITIONS http_access deny blockedsites http_access allow MSN_methods MSN_ports MSN_hosts http_access allow MS
Re: [squid-users] Allow MSN messenger
On Tue, 08 Feb 2011 19:22:26 +0100, David Touzeau wrote: > Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass > trough squid > NOTE: the default squid configuration allows it through without problems. > According wikis i did this : Which wiki? Not the Squid one which only lists how to block MSN due to the default mentioned above. > > # Permit MSN > acl MSN_ports port 1863 443 1503 > acl MSN_domains > dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com > .passport.com > acl MSN_hosts dstdomain messenger.hotmail.com > acl MSN_nets dst 207.46.111.0/255.255.255.0 acl MSN_nets dst 207.46.111.0/24 NP: I'm not sure that is really needed. My clients have not had any problems using MSN and Live etc with the default setup allowing them out by IP and login. > acl MSN_methods method CONNECT > > > http_access allow MSN_methods MSN_ports MSN_hosts > http_access allow MSN_methods MSN_ports MSN_domains "messenger.hotmail.com" is part of ".hotmail.com" so this second rule is not needed, nor is the MSN_domains ACL. > http_access allow MSN_methods MSN_ports MSN_net > > But MSN still did want to connect with these errors: > > 192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST > http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 > 1662 TCP_MISS:DIRECT > > Where i'm wrong ?? None of the rules you posted above have any relation to the port 80 POST requests in your log. They are all paired with CONNECT so apply only on HTTPS traffic and also only on ports 1863, 443, 1503. Check the location you placed those rules and your http_access config logic as a whole. Amos
Re: [squid-users] Allow MSN messenger
On 09/02/11 08:44, David Touzeau wrote: Le mardi 08 février 2011 à 13:35 -0500, Chad Naugle a écrit : Which all looks ok, but is there an "http_access" that allows anything other than the "CONNECT" method, such as: http_access allow MSN_hosts http_access allow MSN_domains http_access allow MSN_net Not to mention any other sites / hosts / ports (Such as port 80) before the "http_access deny all", because whenever stacking ACL's there is an implied "AND" operator, so each line only works like this: "Method is CONNECT" AND "Ports" AND "Destination is" Otherwise DENY ALL is the likely culprit. David Touzeau 2/8/2011 1:22 PM>>> Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass trough squid According wikis i did this : # Permit MSN acl MSN_ports port 1863 443 1503 acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com acl MSN_hosts dstdomain messenger.hotmail.com acl MSN_nets dst 207.46.111.0/255.255.255.0 acl MSN_methods method CONNECT http_access allow MSN_methods MSN_ports MSN_hosts http_access allow MSN_methods MSN_ports MSN_domains http_access allow MSN_methods MSN_ports MSN_net But MSN still did want to connect with these errors: 192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 1662 TCP_MISS:DIRECT 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 1662 TCP_MISS:DIRECT 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403 1662 TCP_MISS:DIRECT Where i'm wrong ?? Best regards This is the entire content of the squid.conf if you see something wrong, let me know acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.1/32 acl manager proto cache_object auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds Setting credentials timeouts but not otherwise configuring or using auth at all. The above auth bits can all be dropped until needed. #- TWEEKS PERFORMANCES # http://blog.last.fm/2007/08/30/squid-optimization-guide memory_pools off Hmm, this is optimization only on 64-bit machines with broken default alloc implementations and some fairly rare people who suffer under strange memory leaks problems we fail to replicate. What it does is cause Squid to call out to the OS for every individual piece of memory used, instead of allocating larger whole swap-page sized chunks. May be worth experimenting and doing your own measurements. quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #- squidGard #IS C-ICAP enabled = 1 redirect_program /usr/bin/squidGuard redirect_children 20 Style fix: That directive was renamed "url_rewrite_program" and "url_rewrite_children" some time ago. #- SQUID PARENTS (feature not enabled) #- acls acl blockedsites url_regex "/etc/squid3/squid-block.acl" acl CONNECT method CONNECT acl purge method PURGE acl FTP proto FTP acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$ acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$ acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$ acl multimedia_rep rep_mime_type -i ^image/ acl multimedia_rep rep_mime_type -i ^video acl multimedia_rep rep_mime_type -i ^audio acl multimedia_rep rep_mime_type -i ^application/x-dvi$ acl multimedia_rep rep_mime_type -i ^application/x-isoview acl multimedia_browsers browser -i ^Windows-Media-Player.* -i ^.*player.* The regex library Squid uses places an implicit ".*" at the beginning and end of the pattern unless you manually add ^ and $ anchors. So you can drop the trailing .* Also, -i (case ignored) ^.*player contains ^Windows-Media-Player. You can drop the ^Windows-Media-Player one completely for a doubling of speed on that ACL test. acl bigfiles_types urlpath_regex -i \.deb$ acl bigfiles_types urlpath_regex -i \.rpm$ acl bigfiles_types urlpath_regex -i \.iso$ acl bigfiles_types urlpath_regex -i \.tar\.gz$ acl bigfiles_types urlpath_regex -i \.gz$ acl bigfiles_types urlpath_regex -i \.bz$ acl bigfiles_types urlpath_regex -i \.tar$ acl bigfiles_types urlpath_regex -i \.cue$ acl bigfiles_types urlpath_regex -i \.nrg$ acl bigfiles_types urlpath_regex -i \.crf$ acl bigfiles_types urlpath_regex -i \.bwi$ acl bigfiles_types urlpath_regex -i \.bwt$ acl bigfiles_types urlpath_regex -i \.lcd$ acl bigfiles_types urlpath_regex -i \.ccd$ acl bigfiles_types urlpath_regex -i \.mdf$ acl bigfiles_types urlpath_regex -i \.mds$ acl bigfiles_types urlpath_regex -i \.vcd$ acl bigfiles_types urlpath_regex -i \.cif$ acl bigfiles_types urlpath_regex -i \.vdi$ acl bigfiles_types urlpath_regex -i \.img$ Optimization: each test has to be run individually. compacting those down to one pattern will allow the librar
RE: [squid-users] Allow msn messenger but no porn
> -Original Message- > From: Mario Maradiaga [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 09, 2005 2:12 PM > To: squid-users@squid-cache.org > Subject: [squid-users] Allow msn messenger but no porn > > > Hi everyone, > > This is my first e-mail to the list and I hope you can help. I`m > running the lates squid stable on a Red Hat 7.3, the problem I have is > the following: > > Everyone of the computers in the office except for the IT one´s access > the Internet with ncsa authentication. The following acl takes care of > all the ip´s inside the office, acl office src "/etc/squid/etc/work", I > have a respective acl to ban porn, acl porn url_regex > "/etc/squid/etc/nosex", and a respective acl to block msn, acl msn > req_mime_type -i ^application/x-msn-messenger$. > acl salesmanagerIP src 1.2.3.4/255.255.255.255 # Change the IP address as appropriate > The http_access looks kinda like this: > http_access deny paginas > some other acl's http_access allow salesmanagerIP msn # Allow the sales manager's IP to use msn through squid > http_access deny msn > some other acl's > http_access allow office password > > Like I said the IT pc´s are not included on the squid configuration file > because they're doing NAT directly through the firewall. > I am now required to allow acces to the msn messenger only on one PC, > the sales manager PC, but I don´t know how to give msn access to it > without allowing it to view porn. Here´s what I tried: I added the ip to > the NAT table on my firewall and removed it from the office ip list > requiring password but left the Internet Explorer on the pc still > configured to access internet via squid, this way I think he will be > able to access msn but still be affected by the acl´s on squid thus > blocking the porn sites. But it didn`t work. > Any ideas are welcome or point out anything I left out. > > Thanx, > > Mario Maradiaga See the Access Control section of the Squid FAQ for more details (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html) Chris