Marco Simon wrote: > > In how far can both acl-sets exist at the same time !? > Do they conflict with each other ?! Which rules must > exist in squid.conf for proper use of squidGuard ?
>From the squid FAQ <http://www.squid-cache.org/Doc/FAQ/FAQ-15.html>: Squid has the ability to rewrite requested URLs. Implemented as an external process (similar to a dnsserver), Squid can be configured to pass every incoming URL through a redirector process that returns either a new URL, or a blank line to indicate no change. . . . Squid writes additional information after the URL which a redirector can use to make a decision. The input line consists of four fields: URL ip-address/fqdn ident method ----- <end of clip>-------------------------- Note that the redirector's response to squid is limited to: a) A new URL, or b) A blank line to indicate no change. The squid and squidGuard acls do not "conflict with each other", but they are processed (more or less) linearly. Henrik Nordstrom is one of the squid developers. He described the processing order in a response to a user question: <http://marc.theaimsgroup.com/?l=squid-users&m=106823042701829&w=2> ---------------<clip>---------------------------- It is almost impossible to correcly draw one diagram showing all these and their interactions, but it is possible to describe the general flow of a single request. The following is based on the Squid-2.5 code base: * httpAccept() accepts a new client connection * clientReadRequests() reads and parses a request * clientAccessCheck() verifies the http_access rules * redirectStart() calls the redirector helper (if any) * clientCheckNoCache() verifies the no_cache rules * clientProcessRequest() starts processing the request ----- <end of clip>-------------------------- So, a transaction that is prohibited by your squid acl will never be seen by the redirector. You should start your testing with a with a working squid installation. (If it doesn't work with squid alone, it will not start working when squidGuard is added to the mix.) Add your redirect_program statement and bounce squid. Verify that you do have a squidGuard.log file that contains current startup information. squidGuard will write 50+ lines to its log file every time it is (re)started. If you do not find this to be true with your squidGuard.log file it is because squidGuard cannot find and/or write to the location you specified. Don't go any further in your testing until this issue is resolved. Here's a simple squidGuard config file that might help you get up and running: # ## Simple squidGuard.conf test file ## # Path declarations # It's a good idea to include the path statements even if you # are using the default locations. Be sure to set the ownership # and permissions of the paths and the files logdir /usr/local/squidGuard/log dbhome /usr/local/squidGuard/db # Source group declarations # Create a test source group that contains your ip src testsource { ip 192.168.0.25 } # Destination group declarations # Create a test destination group and domains file. Remember that the # location is the combination of your dbhome and the domainlist # specification. As listed here, this domains file would be located # /usr/local/squidGuard/db/blacklists/testdest/domains # The content of the domains file should be 'yahoo.com', w/o quotes. # Don't forget path/file ownership and permissions. # You can leave the redirect statetment below as is for your testing. # Create 'blocked.log' in the same directory and with the same # ownership and permisssions as your squidGuard.log file. dest testdest { domainlist blacklists/testdest/domains redirect http://tinyurl.com/3lhjs log blocked.log } # acl declarations # This will allow you (192.168.0.25) to browse anywhere but testdest. # If you try to go to yahoo.com you will be redirected. # You can leave the redirect statetment below as is for your testing. # If you try browsing from an undefined source (not 192.168.0.25), # you will be processed by the default acl and redirected. acl { testsource { pass !testdest all } default { pass none redirect http://tinyurl.com/4btln log blocked.log } } # ## End of Simple squidGuard.conf test file ## Hope that helps! Rick > > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Auftrag von Marco Simon > Gesendet: Donnerstag, 19. August 2004 13:12 > An: [EMAIL PROTECTED] > Betreff: Squidguard seems not to do anything > > > I've got the following problem: > > I installed squid and squidguard as well via deb-packages as > via sources and selfcompiling. > > In both cases I've got the same problem: > SquidGuard is started together with squid, the processes are runing. > But Squidguard seems not to allow or forbid anything. > > See further down for my config files. > The squid-Configuration seems to work quite good, but even if I allow > everything in squid.conf and disallow everything in squidguard.conf I can > reach every web-page without problems. As soon as I disallow everything > in squid.conf, I can't reach any page anymore. > > Please have a look at my config-files and give me some advise, where I > have to look for the mistake. > > Thanks a lot !!! > > squid.conf > ======= > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_access_log /opt/squid/var/logs/access.log > cache_log /opt/squid/var/logs/cache.log > cache_store_log /opt/squid/var/logs/store.log > debug_options ALL,1 33,2 28,9 > redirect_program /opt/squid/bin/squidGuard -c /etc/squidguard.conf > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > http_access allow all > http_reply_access allow all > cache_effective_user squid > ========= > > squidguard.conf > ============ > logdir /opt/squid/var/logs > dbhome /opt/squid/var/db > dest blacklist { > domainlist blacklist/domains > urllist blacklist/urls > } > acl { > default { > pass none > } > } > > > > >
