Answer the question
In order to leave comments, you need to log in
How to properly set up white and black lists so that they allow access to allowed and block prohibited sites?
Good day. The task is as follows: to make white and black lists work correctly in squid. I have already tried all the methods to make them work correctly. The result is the same: in whatever sequence I set the http_access rules, blacklisted sites are never blocked. And a group with limited Internet access always remains a group with full access, since the white list is also not processed correctly.
Accordingly, FullInternet is an AD group with full access, and LimitedInternet is a group with limited access.
Authentication and authorization method - kerberos. Yes, further in the config it will be seen that I entered the sites from the whitelist just into the squid configuration file itself, so the line with the whitelist file is commented out. And that didn't help either. Attached is the current config:
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -s HTTP/[email protected]
auth_param negotiate children 50 startup=10 idle=5
auth_param negotiate keep_alive on
acl localnet src 10.47.0.0/24
#▒[email protected]аз▒[email protected]е▒~Hенн▒~Kе по▒[email protected]▒~B▒~K, ме▒~Bод▒~K и обла▒~A▒~Bи подкл▒~N▒~Gени▒~O
#acl SSL_ports port 443
#acl Safe_ports port 80
#acl Safe_ports port 443
#acl Safe_ports port 1025-65535
#http_access deny !Safe_ports
#acl CONNECT method CONNECT
#http_access deny CONNECT !SSL_ports
#http_access allow localhost manager
#http_access deny manager
#http_access allow localhost
#http_access deny to_localhost
external_acl_type FullInet ttl=3600 negative_ttl=3600 children-max=50 children-startup=10 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -g FullInternet
external_acl_type LimInet ttl=3600 negative_ttl=3600 children-max=50 children-startup=10 children-idle=5 grace=15 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -g LimitedInternet
#acl whitelist dstdomain "/usr/local/etc/squid/whitelist.txt"
acl blacklist dstdomain "/usr/local/etc/squid/blacklist.txt"
acl SiteAllow dstdomain .yandex.ru .mail.ru
acl my_full external FullInet
acl my_lim external LimInet
http_access deny my_lim SiteAllow
http_access allow my_full
http_access deny blacklist
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question