acl SSL_ports port 443
acl SSL_ports port 8443
acl SSL_ports port 8080
acl SSL_ports port 20000
#acl SSL_ports port 30666
#acl SSL_ports port 31666
acl SSL_ports port 10000
acl SSL_ports port 10040 # webmin sitio web
acl SSL_ports port 2083
acl Safe_ports port 631 # httpCUPS
acl Safe_ports port 85
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 8443 # httpsalt
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 # edesur y otros
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
request_header_access From deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all
request_header_access Cache-Control deny all
request_header_access Proxy-Connection deny all
request_header_access X-Cache deny all
request_header_access X-Cache-Lookup deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
request_header_access Pragma deny all
request_header_access Keep-Alive deny all
Re: Block some web to a group of ip and allow the rest.
On 24/02/18 04:45, erdosain9 wrote:
> Hi to all.
> Im trying to block some web to a ip group.
> [root@squid ips]# cat i-restringidos.lst
> This same ip group has access to all internet.
> [root@squid ips]# cat prensa_isla.lst
If they are really the same, then it is better to use one ACL name
instead of two like that.
Using one will help you see more clearly what your config is actually
doing for those IPs, and also make it impossible to accidentally
configure something that can never happen.
Like "i-restringidos !prensa_isla".
> This is what i want to block
> [root@squid listas]# cat restringidos.lst
> (so i have this 2 acl whit the same ip, one for deny, the other to allow.
> So this is my config... and it's not working. Some help?? Thanks!
That is a very complicated setup you have. Below are some
simplifications you can make to shorten it and make it easier to read
what is going on...
The ignore-no-cache parameter no longer exists. Please remove.
> request_header_access From deny all
> request_header_access Server deny all
> request_header_access WWW-Authenticate deny all
> request_header_access Link deny all
> request_header_access Cache-Control deny all
> request_header_access Proxy-Connection deny all
> request_header_access X-Cache deny all
> request_header_access X-Cache-Lookup deny all
> request_header_access Via deny all
> request_header_access X-Forwarded-For deny all
> request_header_access Pragma deny all
> request_header_access Keep-Alive deny all
The Server, X-Cache, X-Cache-Lookup headers are not request headers.
Those lines are pointless.
The Proxy-Connection header is obsolete and automatically stripped by
all current Squid. No need to do anything for it either.
The Keep-Alive header is hop-by-hop ad stripped by Squid without havign
The Pragma header is mandatory for HTTP proxies to ignore except in the
rare case of "Pragma:no-cache". Current Squid are HTTP/1.1 so even that
is even more rarely mattering. ALmost all traffic will ignore this header.
Also, these directives do not in any way affect how your Squid
interprets those headers. All it does is erase them from traffic going
to servers. Which in the case of Pragma is mandatory to pass on exactly
as received. Right now you are breaking all HTTP/1.0 caches across the
Internet between your proxy and the origin server.
1) Youtube and Facebook are different companies and services. So
traffic going to YouTube cannot simlultaneously be going to Facebook.
That makes the Facebook part of the check pointless.
2) All of the below lines have "youtube !facebook". Like with
http_access simplification you can make these rules vastly simpler by
checking for the forbidden property and rejecting based on that before
any allow rules.
So, combining the two details mentioned above. You can make this your
delay_access 1 deny !youtube
... then remove the "youtube !facebook" part from all the below lines: