Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Arseniy Bukhara2020-06-14 13:09:55
FreeBSD
Arseniy Bukhara, 2020-06-14 13:09:55

How to properly set up white and black lists so that they allow access to allowed and block prohibited sites?

Good day. The task is as follows: to make white and black lists work correctly in squid. I have already tried all the methods to make them work correctly. The result is the same: in whatever sequence I set the http_access rules, blacklisted sites are never blocked. And a group with limited Internet access always remains a group with full access, since the white list is also not processed correctly.
Accordingly, FullInternet is an AD group with full access, and LimitedInternet is a group with limited access.
Authentication and authorization method - kerberos. Yes, further in the config it will be seen that I entered the sites from the whitelist just into the squid configuration file itself, so the line with the whitelist file is commented out. And that didn't help either. Attached is the current config:

auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/[email protected]
auth_param negotiate children 50 startup=10 idle=5
auth_param negotiate keep_alive on
acl localnet src 10.47.0.0/24
 #▒[email protected]аз▒[email protected]е▒~Hенн▒~Kе по▒[email protected]▒~B▒~K, ме▒~Bод▒~K и обла▒~A▒~Bи подкл▒~N▒~Gени▒~O
#acl SSL_ports port 443
#acl Safe_ports port 80
#acl Safe_ports port 443
#acl Safe_ports port 1025-65535
#http_access deny !Safe_ports
#acl CONNECT method CONNECT
#http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
#http_access deny manager
#http_access allow localhost
#http_access deny to_localhost
external_acl_type FullInet ttl=3600 negative_ttl=3600 children-max=50 children-startup=10 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -g FullInternet
external_acl_type LimInet ttl=3600 negative_ttl=3600 children-max=50 children-startup=10 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -g LimitedInternet
#acl whitelist dstdomain  "/usr/local/etc/squid/whitelist.txt"
acl blacklist dstdomain   "/usr/local/etc/squid/blacklist.txt"
acl SiteAllow dstdomain .yandex.ru .mail.ru
acl my_full external FullInet
acl my_lim external  LimInet
http_access deny my_lim SiteAllow
http_access allow my_full
http_access deny blacklist

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
C
CityCat4, 2020-06-15
@CityCat4

Somewhere around last fall in the "System Administrator" there was an article on the topic of squid settings and access by groups

Similar questions
R
ralaton1212017-08-15 10:19:43
How to recursively change the extension of files in Unix? 4Reply
V
Vincent12017-08-31 14:42:48
How to install ssl certificates on freebsd? 2Reply
F
fdroid2017-10-17 21:12:54
What is the best system for an x86 router? 12Reply
M
MrFlatman2017-11-13 00:08:57
Information about FreeBSD architecture? 2Reply
L
Lena-P2017-12-02 15:50:52
How to install a full web server on nas4free? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question