Block some web to a group of ip and allow the rest.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Block some web to a group of ip and allow the rest.

erdosain9
Hi to all.
Im trying to block some web to a ip group.

[root@squid ips]# cat i-restringidos.lst
192.168.1.42
192.168.1.43
192.168.1.44
192.168.1.45
192.168.1.99
192.168.1.50
192.168.1.128

This same ip group has access to all internet.
[root@squid ips]# cat prensa_isla.lst
192.168.1.42
192.168.1.43
192.168.1.44
192.168.1.45
192.168.1.99
192.168.1.50
192.168.1.128

This is what i want to block
[root@squid listas]# cat restringidos.lst
.whatsapp.com
.facebook.com
.instagram.com
.twitter.com


(so i have this 2 acl whit the same ip, one for deny, the other to allow.

So this is my config... and it's not working. Some help?? Thanks!

acl i-restringidos src "/etc/squid/ips/i-restringidos.lst"
acl logistica src "/etc/squid/ips/logistica.lst"
acl adminis  src "/etc/squid/ips/adminis.lst"
acl institucionales src "/etc/squid/ips/institucionales.lst"
acl patriysumi  src     "/etc/squid/ips/patriysumi.lst"
acl rrhh        src     "/etc/squid/ips/rrhh.lst"
acl proyecto    src     "/etc/squid/ips/proyecto.lst"
acl programas_y_activ    src     "/etc/squid/ips/programas_y_activ.lst"
acl auditoria   src     "/etc/squid/ips/auditoria.lst"
acl legales     src     "/etc/squid/ips/legales.lst"
acl proteccion  src     "/etc/squid/ips/proteccion.lst"
acl oe          src     "/etc/squid/ips/oe.lst"
acl prensa-isla src     "/etc/squid/ips/prensa_isla.lst"

#acl red6 src "/etc/squid/ips/red6.lst"
acl red6 src 192.168.6.0/24  #para la red 6
acl red2 src 192.168.2.0/24 #red 2

####Bloquea Publicidad ( http://pgl.yoyo.org/adservers/ )
acl ads dstdom_regex "/etc/squid/listas/ad_block.lst"
http_access deny ads
#deny_info TCP_RESET ads

####Streaming
acl youtube url_regex -i \.flv$
acl youtube url_regex -i \.mp4$
acl youtube url_regex -i watch?
acl youtube url_regex -i youtube
acl facebook url_regex -i facebook
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i fbcdn\.net\/v\/(.*\.jpg)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.mp4)\?
acl facebook url_regex -i akamaihd\.net\/v\/(.*\.jpg)\?

##Dominios denegados
acl dominios_denegados dstdomain "/etc/squid/listas/dominios_denegados.lst"

##bloqueo de pagina prueba
acl blockprueba dstdomain "/etc/squid/listas/blockprueba.lst"

##Extensiones bloqueadas
acl multimedia urlpath_regex "/etc/squid/listas/multimedia.lst"

##Extensiones peligrosas
acl peligrosos urlpath_regex "/etc/squid/listas/peligrosos.lst"

##Redes sociales
acl restringidos dstdomain “/etc/squid/listas/restringidos.lst”


#Puertos
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
#acl SSL_ports port 30666
#acl SSL_ports port 31666
acl SSL_ports port 10000
acl SSL_ports port 10040 # webmin sitio web
acl SSL_ports port 2083

acl Safe_ports port 631         # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 8443        # httpsalt
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 8080        # edesur y otros

acl CONNECT method CONNECT



http_access allow localhost manager


http_access deny manager
http_access deny to_localhost

http_access deny i-restringidos restringidos
http_access allow prensa-isla
http_access allow red6
http_access allow red2
http_access allow logistica !dominios_denegados !multimedia !peligrosos
http_access allow adminis !dominios_denegados
http_access allow institucionales !dominios_denegados !peligrosos
!multimedia
http_access allow patriysumi !multimedia !peligrosos !dominios_denegados
http_access allow proyecto !dominios_denegados !peligrosos !multimedia
http_access allow rrhh !dominios_denegados !peligrosos !multimedia
http_access allow programas_y_activ !dominios_denegados !peligrosos
!multimedia
http_access allow auditoria !dominios_denegados !peligrosos !multimedia
http_access allow legales !dominios_denegados !peligrosos !multimedia
http_access allow proteccion !dominios_denegados !peligrosos !multimedia
http_access allow oe !dominios_denegados !peligrosos !multimedia
http_access deny all

http_port 127.0.0.1:3128
http_port 192.168.1.97:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=5MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem


acl step1 at_step SslBump1

acl excludeSSL ssl::server_name_regex "/etc/squid/listas/excluidosSSL.lst"

ssl_bump peek step1
ssl_bump splice excludeSSL
ssl_bump bump all

cache_dir diskd /var/spool/squid 15000 16 256
cache_mem 256 MB


cache_swap_low 75
cache_swap_high 85

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid


#My refresh pattern
#obliga el cache de imagenes .jgp

refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
ignore-private

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

via off
forwarded_for delete

request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all

delay_pools 15
#Limitar Youtube
delay_class 1 2
delay_parameters 1 2000000/2000000 100000/1000000
delay_access 1 allow adminis    youtube !facebook
delay_access 1 allow logistica  youtube !facebook
delay_access 1 allow institucionales youtube !facebook
delay_access 1 allow patriysumi youtube !facebook
delay_access 1 allow rrhh youtube !facebook
delay_access 1 allow proyecto youtube !facebook
delay_access 1 allow programas_y_activ youtube !facebook
delay_access 1 allow auditoria youtube !facebook
delay_access 1 allow legales youtube !facebook
delay_access 1 allow oe youtube !facebook
delay_access 1 allow proteccion youtube !facebook
delay_access 1 deny all


#Limitar Facebook
delay_class 2 2
delay_parameters 2 2000000/2000000 100000/1000000
delay_access 2 allow adminis    facebook !youtube
delay_access 2 allow logistica  facebook !youtube
delay_access 2 allow institucionales facebook !youtube
delay_access 2 allow patriysumi facebook !youtube
delay_access 2 allow rrhh facebook !youtube
delay_access 2 allow proyecto facebook !youtube
delay_access 2 allow programas_y_activ facebook !youtube
delay_access 2 allow auditoria facebook !youtube
delay_access 2 allow legales facebook !youtube
delay_access 2 allow oe facebook !youtube
delay_access 2 allow proteccion facebook !youtube
delay_access 2 deny all

#Limitar Video Streaming a 500k
delay_class 3 1
delay_parameters 3 3000000/3000000
delay_access 3 allow prensa-isla youtube !facebook
delay_access 3 deny all

#Ancho de Banda Administracion
delay_class 4 2
delay_parameters 4 1000000/1000000 350000/750000
delay_access 4 allow adminis    !youtube !facebook
delay_access 4 deny all

#Ancho de Banda Logistica
delay_class 5 2
delay_parameters 5 1000000/1000000 350000/750000
delay_access 5 allow logistica  !youtube !facebook
delay_access 5 deny all

#Ancho de Banda Institucionales
delay_class 6 2
delay_parameters 6 1000000/1000000 350000/750000
delay_access 6 allow institucionales !youtube !facebook
delay_access 6 deny all

#Ancho de Banda Patrimonio y Suministro
delay_class 7 2
delay_parameters 7 1000000/1000000 350000/750000
delay_access 7 allow patriysumi !youtube !facebook
delay_access 7 deny all

#Ancho de Banda RRHH
delay_class 8 2
delay_parameters 8 1000000/1000000 350000/750000
delay_access 8 allow rrhh !youtube !facebook
delay_access 8 deny all

#Ancho de Banda Proyecto
delay_class 9 2
delay_parameters 9 1000000/1000000 350000/750000
delay_access 9 allow proyecto !youtube !facebook
delay_access 9 deny all

#Ancho de Banda programas_y_activ
delay_class 10 2
delay_parameters 10 1000000/1000000 350000/750000
delay_access 10 allow programas_y_activ !youtube !facebook
delay_access 10 deny all

#Ancho de Banda Auditoria
delay_class 11 2
delay_parameters 11 1000000/1000000 350000/750000
delay_access 11 allow auditoria !youtube !facebook
delay_access 11 deny all

#Ancho de Banda Legales
delay_class 12 2
delay_parameters 12 1000000/1000000 350000/750000
delay_access 12 allow legales !youtube !facebook
delay_access 12 deny all

#Ancho de Banda Proteccion
delay_class 13 2
delay_parameters 13 1000000/1000000 350000/750000
delay_access 13 allow proteccion !youtube !facebook
delay_access 13 deny all

#Ancho de Banda prensa-isla
delay_class 14 2
delay_parameters 14 2000000/2000000 512000/2000000
delay_access 14 allow prensa-isla !youtube !facebook
delay_access 14 deny all

#Ancho de Banda OE
delay_class 15 2
delay_parameters 15 1000000/1000000 350000/750000
delay_access 15 allow oe !youtube !facebook
delay_access 15 deny all

               
dns_nameservers 192.168.1.222 192.168.1.107
visible_hostname squid.mydomain.lan

# try connecting to first 25 ips of a domain name
forward_max_tries 25

dns_v4_first on



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Block some web to a group of ip and allow the rest.

Amos Jeffries
Administrator
On 24/02/18 04:45, erdosain9 wrote:

> Hi to all.
> Im trying to block some web to a ip group.
>
> [root@squid ips]# cat i-restringidos.lst
> 192.168.1.42
> 192.168.1.43
> 192.168.1.44
> 192.168.1.45
> 192.168.1.99
> 192.168.1.50
> 192.168.1.128
>
> This same ip group has access to all internet.
> [root@squid ips]# cat prensa_isla.lst
> 192.168.1.42
> 192.168.1.43
> 192.168.1.44
> 192.168.1.45
> 192.168.1.99
> 192.168.1.50
> 192.168.1.128

If they are really the same, then it is better to use one ACL name
instead of two like that.

Using one will help you see more clearly what your config is actually
doing for those IPs, and also make it impossible to accidentally
configure something that can never happen.
 Like "i-restringidos !prensa_isla".


>
> This is what i want to block
> [root@squid listas]# cat restringidos.lst
> .whatsapp.com
> .facebook.com
> .instagram.com
> .twitter.com
>
>
> (so i have this 2 acl whit the same ip, one for deny, the other to allow.
>
> So this is my config... and it's not working. Some help?? Thanks!
>

That is a very complicated setup you have. Below are some
simplifications you can make to shorten it and make it easier to read
what is going on...

>
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
>
> http_access deny i-restringidos restringidos

The above line does exactly what you are asking for.

The only problem that could happen is that the clients in i-restringidos
are not doing what you think they are.

Perhapse they are actually:

 a) not using your proxy to contact those sites,

and/or

 b) using a protocol that skips through the proxy.

   For example; Using SPDY, QUICK, WebSockets etc. instead of HTTP.

and/or,


 c) using a domain name (or raw IP address) not on your list.

   For example most of Facebook traffic usually comes from fbcdn.net,
"Facebook.com" is just the brand name and front page(s).


> http_access allow prensa-isla
> http_access allow red6
> http_access allow red2

All the below lines have !dominios_denegados. So you can add this here:

  http_access deny dominios_denegados

... then remove all the "!dominios_denegados".


> http_access allow logistica !multimedia !peligrosos
> http_access allow adminis

All the below lines have "!peligrosos". So you can do the same again:

  http_access deny peligrosos


And again with !multimedia; ...

  http_access deny multimedia

.. leaving the remainder looking like this:

 http_access allow institucionales
 http_access allow patriysumi
 http_access allow proyecto
 http_access allow rrhh
 http_access allow programas_y_activ
 http_access allow auditoria
 http_access allow legales
 http_access allow proteccion
 http_access allow oe
 http_access deny all


>
> refresh_pattern -i \.jpg$ 30 0% 30 ignore-no-cache ignore-no-store
> ignore-private

The ignore-no-cache parameter no longer exists. Please remove.


>
> request_header_access From deny all
> request_header_access Server deny all
> request_header_access WWW-Authenticate deny all
> request_header_access Link deny all
> request_header_access Cache-Control deny all
> request_header_access Proxy-Connection deny all
> request_header_access X-Cache deny all
> request_header_access X-Cache-Lookup deny all
> request_header_access Via deny all
> request_header_access X-Forwarded-For deny all
> request_header_access Pragma deny all
> request_header_access Keep-Alive deny all

The Server, X-Cache, X-Cache-Lookup headers are not request headers.
Those lines are pointless.

The Proxy-Connection header is obsolete and automatically stripped by
all current Squid. No need to do anything for it either.

The Keep-Alive header is hop-by-hop ad stripped by Squid without havign
anyeffect.

The Pragma header is mandatory for HTTP proxies to ignore except in the
rare case of "Pragma:no-cache". Current Squid are HTTP/1.1 so even that
is even more rarely mattering. ALmost all traffic will ignore this header.
 Also, these directives do not in any way affect how your Squid
interprets those headers. All it does is erase them from traffic going
to servers. Which in the case of Pragma is mandatory to pass on exactly
as received. Right now you are breaking all HTTP/1.0 caches across the
Internet between your proxy and the origin server.


>
> delay_pools 15
> #Limitar Youtube
> delay_class 1 2
> delay_parameters 1 2000000/2000000 100000/1000000

Two things about these delay rules:

 1) Youtube and Facebook are different companies and services. So
traffic going to YouTube cannot simlultaneously be going to Facebook.
That makes the Facebook part of the check pointless.


2) All of the below lines have "youtube !facebook". Like with
http_access simplification you can make these rules vastly simpler by
checking for the forbidden property and rejecting based on that before
any allow rules.

So, combining the two details mentioned above. You can make this your
first rule:

  delay_access 1 deny !youtube

... then remove the "youtube !facebook" part from all the below lines:

> delay_access 1 allow adminis    youtube !facebook
> delay_access 1 allow logistica  youtube !facebook
> delay_access 1 allow institucionales youtube !facebook
> delay_access 1 allow patriysumi youtube !facebook
> delay_access 1 allow rrhh youtube !facebook
> delay_access 1 allow proyecto youtube !facebook
> delay_access 1 allow programas_y_activ youtube !facebook
> delay_access 1 allow auditoria youtube !facebook
> delay_access 1 allow legales youtube !facebook
> delay_access 1 allow oe youtube !facebook
> delay_access 1 allow proteccion youtube !facebook
> delay_access 1 deny all

Then you get to decide, are there any clients allowed to use the proxy
which are not in those allow rules?

If the answer is yes, you can replace all of those allow lines with
"allow all" and remove the "deny all" line.


>
> #Limitar Facebook
> delay_class 2 2
> delay_parameters 2 2000000/2000000 100000/1000000
> delay_access 2 allow adminis    facebook !youtube
> delay_access 2 allow logistica  facebook !youtube
> delay_access 2 allow institucionales facebook !youtube
> delay_access 2 allow patriysumi facebook !youtube
> delay_access 2 allow rrhh facebook !youtube
> delay_access 2 allow proyecto facebook !youtube
> delay_access 2 allow programas_y_activ facebook !youtube
> delay_access 2 allow auditoria facebook !youtube
> delay_access 2 allow legales facebook !youtube
> delay_access 2 allow oe facebook !youtube
> delay_access 2 allow proteccion facebook !youtube
> delay_access 2 deny all

Same as with pool #1, but this time make your first line:

  delay_access 2 deny facebook


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users