Comments and answers are interspersed in context below...
On Tue, 2004-04-20 at 12:06, Rick Matthews wrote:
> Mike Rambo wrote:
> >
> > I've looked at implementing this suggestion and like some of what it
> > would allow me to do. The problem I've run into is that the squid
> > cachemgr.cgi will no longer run correctly with the default acl set to
> > pass none. The cgi comes and I can authenticate but I don't see the
> > list of items I should see from the cachemgr.cgi script.
> >
> > Here is my default acl. The cgi works as it sits now. If I comment out
> > the first pass statement and uncomment 'pass none' cachemgr.cgi dies.
> >
> > default {
> > pass !local-block local-ok !ads !aggressive !drugs\
> > !gambling !hacking !porn !violence !warez all
> > #pass none
> > redirect http://192.168.189.9/cgi-bin/squidGuard.cgi?\
> > clientaddr=%a&clientname=%n&clientident=%i\
> > &srcclass=%s&targetgroup=%t&url=%u
> > }
> >
> > Why would I be hitting the default acl anyway?
>
> If you were being processed by a 'pass none' default squidGuard acl
> you would have been looking at your redirect screen, not a partial
> squid cachemgr.cgi screen.
>
> > I'm accessing the cachemgr from a machine this is in a subnet
> > covered by another acl. It seems like it must be because the cgi
> > script itself is doing the access to get the information and is
> > seen as making the access not from the subnet of my client but
> > rather the subnet of the squid box (or not?)? I've tried putting
> > the subnet (and even the host) for the squid box in another acl
> > and once tried a no_cache directive for the squid box in squid.conf
> > to no avail. I'm missing something here.
>
> Me too! :) Are we talking about squidGuard.conf or squid.conf? I
> think you said that cachemgr.cgi works fine, then you make one change
> in squidGuard.conf (changing default acl to pass none) and
> cachemgr.cgi doesn't work (correctly) anymore?
>
Yes - this is precisely the situation.
> I'm not sure what's going on, but without seeing your squidGuard.conf
> file I can't even make a guess. But I can tell you the things I do
> to research problems of that sort.
>
It's long but I'll attach it at the bottom.
> First, I want to look at the transaction in squid's access.log. A
> quick way to do that is to enter this in a shell session on your
> squid box:
>
> 'tail -f /var/log/squid/access.log > mycapture'
>
We have a pretty heavily used filter. Here are the only references I
found to either my client address, the cachemgr.cgi, or the filter box
by either name or ip address.
[EMAIL PROTECTED] root]# cat capture
1082478237.612 35 10.8.16.7 TCP_MISS/200 1415 GET
http://squid.lpsd.local/cgi-bin/cachemgr.cgi - DIRECT/192.168.189.6
text/html
1082478237.856 81 10.8.16.7 TCP_MISS/404 1564 GET
http://squid.lpsd.local/favicon.ico - DIRECT/192.168.189.6 text/html
1082478242.614 45 192.168.189.9 TCP_MISS/200 1371 GET
cache_object://squid.lpsd.local/ - DIRECT/192.168.189.9 text/html
1082478242.620 73 10.8.16.7 TCP_MISS/200 4158 POST
http://squid.lpsd.local/cgi-bin/cachemgr.cgi - DIRECT/192.168.189.6
text/html
> Next, I want to see how squidGuard handled the transaction. (That's
> the reason my squidGuard.conf contains a 'log' statement in each
> section that can deny a transaction.) So I look in my squidGuard
> blocked.log and find:
>
[EMAIL PROTECTED] root]# cat blocked.default
2004-04-20 12:41:18 [22037] Request(default/none/-)
cache_object://squid.lpsd.local/ 192.168.189.9/squid.lpsd.local - GET
I notice that this seems the same as the third entry in the list above
and that the request is cache-object:// rather that http://. Meaningful?
> Hope that helps!
>
> Rick
>
Indeed. You are very helpful... Thanks.
I've found at least a workaround for this if you don't have a 'more
correct' solution. I created a cachemgr group in the blacklists and
changed the default acl to 'pass cachemgr none'. That, I think, makes
everything happen the way we want (I know the cachemgr comes up now but
haven't checked to see what the response is to out of network clients
yet).
Here is the full squidGuard.conf file.
[EMAIL PROTECTED] squid]# cat squidGuard.conf
#
# CONFIG FILE FOR SQUIDGUARD
#
# See http://www.squidguard.org/config/ for more examples
#
dbhome /var/squidGuard
logdir /var/log/squidGuard
dest ads {
# log ads
domainlist blacklists/ads/domains
urllist blacklists/ads/urls
redirect http://192.168.189.9/1x1.gif
}
<snip several dest groups>
dest porn{
log porn
domainlist blacklists/porn/domains
urllist blacklists/porn/urls
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest local-ok{
domainlist blacklists/local-ok/domains
urllist blacklists/local-ok/urls
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest local-block{
log local-block
domainlist blacklists/local-block/domains
urllist blacklists/local-block/urls
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%i
&srcclass=%s&targetgroup=%t&url=%u
}
dest cachemgr{
log blocked.default
domainlist blacklists/cachemgr/domains
urllist blacklists/cachemgr/urls
#redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientident=%
i&srcclass=%s&targetgroup=%t&url=%u
}
# These are specific machines that are open except for banner ad
blocking.
src netadmin {
ip 10.180.1.3/255.255.255.255
ip 10.180.1.6/255.255.255.255
ip 10.180.1.10/255.255.255.255
ip 10.180.1.15/255.255.255.255
ip 10.180.1.19/255.255.255.255
ip 10.180.1.239/255.255.255.255
ip 10.8.16.7/255.255.255.255
}
# Use admin-dc1 for tests.
src admin-dc1 {
ip 10.189.16.101/255.255.255.255
}
# Other non-school (for the most part) networks.
src otheradmin {
ip 10.122.0.0/255.255.0.0
ip 10.180.0.0/255.255.0.0
ip 10.185.0.0/255.255.0.0
ip 10.187.0.0/255.255.0.0
ip 10.189.0.0/255.255.0.0
ip 10.212.0.0/255.255.0.0
}
# These networks get filtering defined by the highschool acl below.
src highschool {
ip 10.5.0.0/255.255.0.0
ip 10.7.0.0/255.255.0.0
ip 10.8.0.0/255.255.0.0
}
# These networks get filtering defined by the middleschool acl below.
src middleschool {
ip 10.6.0.0/255.255.0.0
ip 10.12.0.0/255.255.0.0
ip 10.13.0.0/255.255.0.0
ip 10.15.0.0/255.255.0.0
ip 10.16.0.0/255.255.0.0
ip 10.72.0.0/255.255.0.0
}
# These networks get filtering defined by the elemschool acl below.
src elemschool {
ip 10.17.0.0/255.255.0.0
ip 10.20.0.0/255.255.0.0
ip 10.21.0.0/255.255.0.0
ip 10.22.0.0/255.255.0.0
ip 10.24.0.0/255.255.0.0
ip 10.25.0.0/255.255.0.0
ip 10.28.0.0/255.255.0.0
ip 10.29.0.0/255.255.0.0
ip 10.31.0.0/255.255.0.0
ip 10.33.0.0/255.255.0.0
ip 10.36.0.0/255.255.0.0
ip 10.37.0.0/255.255.0.0
ip 10.38.0.0/255.255.0.0
ip 10.39.0.0/255.255.0.0
ip 10.41.0.0/255.255.0.0
ip 10.45.0.0/255.255.0.0
ip 10.46.0.0/255.255.0.0
ip 10.48.0.0/255.255.0.0
ip 10.50.0.0/255.255.0.0
ip 10.52.0.0/255.255.0.0
ip 10.54.0.0/255.255.0.0
ip 10.55.0.0/255.255.0.0
ip 10.60.0.0/255.255.0.0
ip 10.61.0.0/255.255.0.0
ip 10.62.0.0/255.255.0.0
ip 10.63.0.0/255.255.0.0
ip 10.65.0.0/255.255.0.0
ip 10.66.0.0/255.255.0.0
ip 10.67.0.0/255.255.0.0
ip 10.68.0.0/255.255.0.0
ip 10.70.0.0/255.255.0.0
ip 10.71.0.0/255.255.0.0
ip 10.74.0.0/255.255.0.0
}
acl {
# Specific admin machines benefit from ad blocking.
netadmin {
pass !ads all
}
# Other admin level networks receive less filtering than most schools.
admin-dc1 {
pass !local-block local-ok !ads !hacking !in-addr !porn !proxy
!warez all
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientiden
t=%i&srcclass=%s&targetgroup=%t&url=%u
}
# Other admin level networks receive less filtering than most schools.
otheradmin {
pass !local-block local-ok !ads !hacking !porn !proxy !warez all
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientiden
t=%i&srcclass=%s&targetgroup=%t&url=%u
}
# High school level networks receive the least amount of filtering.
highschool {
pass !local-block local-ok !ads !hacking !porn !proxy !warez all
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientiden
t=%i&srcclass=%s&targetgroup=%t&url=%u
}
# Middle school networks get more filtering.
middleschool {
pass !local-block local-ok !ads !drugs !gambling !hacking !porn
!proxy !violence !warez all
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientiden
t=%i&srcclass=%s&targetgroup=%t&url=%u
}
# Elementary networks are heavily filtered.
elemschool {
pass !local-block local-ok !ads !aggressive !drugs !elem
!gambling !hacking !proxy !porn !violence !warez all
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientiden
t=%i&srcclass=%s&targetgroup=%t&url=%u
}
default {
pass cachemgr none
redirect
http://192.168.189.9/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientiden
t=%i&srcclass=%s&targetgroup=%t&url=%u
log blocked.default
}
}
--
Mike Rambo
[EMAIL PROTECTED]
Evolution (n): A hypothetical process whereby infinitely improbable events occur
with alarming frequency, order arises from chaos, and no one is given credit.
