A
A
at_lexx2015-09-09 08:48:10
Squid
at_lexx, 2015-09-09 08:48:10

Why doesn't Squid 3 block social networks?

Good day. Faced the problem that the transparent squid does not want to block http, like vk and other sites. I can't figure out why he's so stupid.
posting the conf

#Для ограничения доступа к сайтам
acl Siteban url_regex -i "/etc/squid3/blacklist"

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#Отключение Ipv6
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6

#Ограничение скачивания файлов с расширением cmd, bat, vld
acl BlockedURLRegex url_regex -i "/etc/squid3/block_cmd"

#Списки пользователей для настройки ограничений
acl vip src "/etc/squid3/vip"
acl users src "/etc/squid3/users"
acl on_site url_regex -i "/etc/squid3/on_site"

http_access deny BlockedURLRegex
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny manager
http_access allow vip
http_access deny Siteban users !on_site
http_access allow users
http_access allow localhost
http_access deny all

http_port 192.168.1.2:3129
http_port 192.168.1.2:3128 intercept

cache_mem 256 MB
maximum_object_size_in_memory 2048 KB
cache_dir ufs /var/spool/squid3 8168 16 256
maximum_object_size 100 MB

access_log daemon:/var/log/squid3/access.log squid
logfile_rotate 31
log_access deny localhost
debug_options ALL!cachemgr,1
coredump_dir /var/spool/squid3

refresh_pattern ^ftp:   1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern .       0       20%     4320

#Ограничение скорости
delay_pools 2
delay_class 1 1
delay_parameters 1 -1/-1
delay_access 1 allow vip
delay_access 1 deny all

delay_class 2 2
delay_parameters 2 -1/-1 80000/2500000
delay_access 2 allow users
delay_access 2 deny all

cache_effective_user proxy
cache_effective_group proxy
forwarded_for delete
connect_timeout 20 second
dns_v4_first on
tcp_outgoing_address 192.168.1.2 !to_ipv6
error_directory /usr/share/squid3/errors/ru
error_default_language ru

lines with siteban of this kind
vk\.com
users are specified in the range from-to.
forwarding to iptables of the form
iptables -t nat -A PREROUTING -i eth1 ! -d 192.168.1.0/24 -p tcp -m multiport --dport 80,8080,443 -j DNAT --to 192.168.1.2:3128

https will also be added over time, but so far even this does not work.
Thank you in advance.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
M
Maxim Kovalenko, 2015-09-16
@at_lexx

tail -f /var/log/squid/cache.log and run vk.com in parallel for a user from the /etc/squid3/users
list Throw off the log.
What is the behavior when changing a string?

#http_access deny Siteban users !on_site
http_access deny Siteban

P
pozitiffcaat, 2015-09-09
@pozitiffcaat

Maybe something like this?
\S*vk\.com\S*

D
Dmitry Filyushin, 2015-09-24
@Filyushin

Most likely due to the fact that social networks work through https

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question