Squid Proxy not blocking websites

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid Proxy not blocking websites

Arjun K
Hi All

The below is the configuration defined in the proxy server.
The issue is that the proxy is not blocking the websites mentioned in a file named denylist.txt.
Kindly let me know what needs to be changed to block the websites.



####IP Ranges allowed to use proxy
acl localnet src 10.196.0.0/16
acl localnet src 10.197.0.0/16
acl localnet src 10.198.0.0/16
acl localnet src 10.199.0.0/16
acl localnet src 10.200.0.0/16

####Allowed and Denied URLs
acl allowedurl dstdomain /etc/squid/allowed_url.txt
acl denylist dstdomain /etc/squid/denylist.txt

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain eu.vortex-win.data.microsoft.com
acl windowsupdate dstdomain eu-v20.events.data.microsoft.com
acl windowsupdate dstdomain usseu1northprod.blob.core.windows.net
acl windowsupdate dstdomain usseu1westprod.blob.core.windows.net
acl windowsupdate dstdomain winatp-gw-neu.microsoft.com
acl windowsupdate dstdomain winatp-gw-weu.microsoft.com
acl windowsupdate dstdomain wseu1northprod.blob.core.windows.net
acl windowsupdate dstdomain wseu1westprod.blob.core.windows.net
acl windowsupdate dstdomain automatedirstrprdweu.blob.core.windows.net
acl windowsupdate dstdomain automatedirstrprdneu.blob.core.windows.net
acl windowsupdate dstdomain play.google.com
acl windowsupdate dstdomain go.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet

acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT

http_access allow allowedurl
http_access deny denylist
http_access allow localhost manager
http_access allow localhost
http_access allow localnet
http_access deny manager
http_access deny !Safe_ports
http_access deny all

http_port 8080

cache_dir ufs /var/spool/squid 10000 16 256
coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims




Regards
Arjun K.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Proxy not blocking websites

Arjun K
Hi All

Can any one help on the below issue.
I tried changing the order of deny and allow acl but it did not yield any result.

Regards
Arjun K


On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <[hidden email]> wrote:


Hi All

The below is the configuration defined in the proxy server.
The issue is that the proxy is not blocking the websites mentioned in a file named denylist.txt.
Kindly let me know what needs to be changed to block the websites.



####IP Ranges allowed to use proxy
acl localnet src 10.196.0.0/16
acl localnet src 10.197.0.0/16
acl localnet src 10.198.0.0/16
acl localnet src 10.199.0.0/16
acl localnet src 10.200.0.0/16

####Allowed and Denied URLs
acl allowedurl dstdomain /etc/squid/allowed_url.txt
acl denylist dstdomain /etc/squid/denylist.txt

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain eu.vortex-win.data.microsoft.com
acl windowsupdate dstdomain eu-v20.events.data.microsoft.com
acl windowsupdate dstdomain usseu1northprod.blob.core.windows.net
acl windowsupdate dstdomain usseu1westprod.blob.core.windows.net
acl windowsupdate dstdomain winatp-gw-neu.microsoft.com
acl windowsupdate dstdomain winatp-gw-weu.microsoft.com
acl windowsupdate dstdomain wseu1northprod.blob.core.windows.net
acl windowsupdate dstdomain wseu1westprod.blob.core.windows.net
acl windowsupdate dstdomain automatedirstrprdweu.blob.core.windows.net
acl windowsupdate dstdomain automatedirstrprdneu.blob.core.windows.net
acl windowsupdate dstdomain play.google.com
acl windowsupdate dstdomain go.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet

acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT

http_access allow allowedurl
http_access deny denylist
http_access allow localhost manager
http_access allow localhost
http_access allow localnet
http_access deny manager
http_access deny !Safe_ports
http_access deny all

http_port 8080

cache_dir ufs /var/spool/squid 10000 16 256
coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims




Regards
Arjun K.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Proxy not blocking websites

Amos Jeffries
Administrator
On 6/05/20 12:58 am, Arjun K wrote:
> Hi All
>
> Can any one help on the below issue.
> I tried changing the order of deny and allow acl but it did not yield
> any result.
>

What is the contents of the denylist.txt file?

This usually happens when things in there are not the right dstdomain
syntax.





> Regards
> Arjun K
>
>
> On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <[hidden email]>
> wrote:
>
>
> Hi All
>
> The below is the configuration defined in the proxy server.
> The issue is that the proxy is not blocking the websites mentioned in a
> file named denylist.txt.
> Kindly let me know what needs to be changed to block the websites.
>
>
>
> ####IP Ranges allowed to use proxy
> acl localnet src 10.196.0.0/16
> acl localnet src 10.197.0.0/16
> acl localnet src 10.198.0.0/16
> acl localnet src 10.199.0.0/16
> acl localnet src 10.200.0.0/16

These can be simplified:

 acl localnet 10.196.0.0-10.200.0.0/16


>
> ####Allowed and Denied URLs
> acl allowedurl dstdomain /etc/squid/allowed_url.txt

dstdomain and URL are different things. The name of this ACL is deceptive.

> acl denylist dstdomain /etc/squid/denylist.txt
>
...

You are missing the DoS protection checks:

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports

All custom rules should follow those.


> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
>
> http_access allow allowedurl
> http_access deny denylist
> http_access allow localhost manager
> http_access allow localhost
> http_access allow localnet
> http_access deny manager
> http_access deny !Safe_ports

The manager and Safe_Ports checks are useless down here. Their entire
purpose is to prevent unauthorized access to dangerous protocols and
security sensitive proxy management API.


> http_access deny all
>
...
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320

No refresh_pattern following this line will ever match. The "." pattern
matches every URL possible. Order is important.

> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
> 80% 43200 reload-into-ims
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Proxy not blocking websites

Arjun K
Hi Amos

Thanks for your response and suggestions and I will incorporate your inputs in the configuration.
Please find the below contents of denylist as I am unable to attach as a document due to restrictions.

.hotmail.com
*.appex-rf.msn.com
*.itunes.apple.com
auth.gfx.ms
broadcast.skype.com
c.bing.com
c.live.com
cl2.apple.com
client.hip.live.com
d.docs.live.net
directory.services.live.com
docs.live.net
en-us.appex-rf.msn.com
foodanddrink.services.appex.bing.com
login.live.com
mail.google.com
ms.tific.com
odcsm.officeapps.live.com
officeimg.vo.msecnd.net
outlook.uservoice.com
p100-sandbox.itunes.apple.com
partnerservices.getmicrosoftkey.com
protection.office.com
roaming.officeapps.live.com
sas.office.microsoft.com
sdk.hockeyapp.net
secure.meetup.com
signup.live.com
social.yahooapis.com
view.atdmt.com
watson.telemetry.microsoft.com
weather.tile.appex.bing.com
www.dropbox.com
www.googleapis.com
www.wunderlist.com
*.appex.bing.com
*.broadcast.skype.com
*.mail.protection.outlook.com
*.protection.office.com
*.protection.outlook.com
*.skype.com
*.skypeforbusiness.com
a.wunderlist.com
account.live.com
accounts.google.com
acompli.helpshift.com
api.diagnostics.office.com
api.dropboxapi.com
api.login.yahoo.com
api.meetup.com
app.adjust.com
app.box.com
bit.ly, www.acompli.com
by.uservoice.com
data.flurry.com
play.google.com
rink.hockeyapp.net
www.evernote.com
www.google-analytics.com
www.youtube.com
*.facebook.com
*.yahoo.com
*.msn.com
clients4.google.com
www.reddit.com




Please find my responses and queries as well.

1. Instead of dstdomain , I tried the url_regex as defined below and even it is not blocking the sites through the proxy.
Kindly let me know how to allow and block the sites ?

acl allowedurl url_regex /etc/squid/allowed_url.txt
acl denylist url_regex /etc/squid/denylist.txt

2.  I have defined only two ports 80 and 443 and removed all other ports. May I know whether the below order must be used since you stated the below "All custom rules should follow those." Kindly let me know whether the below order is correct or not.

http_access deny !Safe_ports
http_access deny denylist
http_access allow allowedurl
http_access allow localhost manager
http_access allow localhost
http_access allow localnet
http_access deny manager
http_access deny all


Regards
Arjun K.

On Tuesday, 5 May, 2020, 07:02:46 pm IST, Amos Jeffries <[hidden email]> wrote:


On 6/05/20 12:58 am, Arjun K wrote:
> Hi All
>
> Can any one help on the below issue.
> I tried changing the order of deny and allow acl but it did not yield
> any result.
>

What is the contents of the denylist.txt file?

This usually happens when things in there are not the right dstdomain
syntax.





> Regards
> Arjun K
>
>
> On Sunday, 3 May, 2020, 05:21:02 pm IST, Arjun K <[hidden email]>
> wrote:
>
>
> Hi All
>
> The below is the configuration defined in the proxy server.
> The issue is that the proxy is not blocking the websites mentioned in a
> file named denylist.txt.
> Kindly let me know what needs to be changed to block the websites.
>
>
>
> ####IP Ranges allowed to use proxy
> acl localnet src 10.196.0.0/16
> acl localnet src 10.197.0.0/16
> acl localnet src 10.198.0.0/16
> acl localnet src 10.199.0.0/16
> acl localnet src 10.200.0.0/16

These can be simplified:

acl localnet 10.196.0.0-10.200.0.0/16


>
> ####Allowed and Denied URLs
> acl allowedurl dstdomain /etc/squid/allowed_url.txt

dstdomain and URL are different things. The name of this ACL is deceptive.

> acl denylist dstdomain /etc/squid/denylist.txt
>
...

You are missing the DoS protection checks:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

All custom rules should follow those.


> http_access allow CONNECT wuCONNECT localnet
> http_access allow windowsupdate localnet
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
>
> http_access allow allowedurl
> http_access deny denylist
> http_access allow localhost manager
> http_access allow localhost
> http_access allow localnet
> http_access deny manager
> http_access deny !Safe_ports

The manager and Safe_Ports checks are useless down here. Their entire
purpose is to prevent unauthorized access to dangerous protocols and
security sensitive proxy management API.


> http_access deny all
>
...
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320

No refresh_pattern following this line will ever match. The "." pattern
matches every URL possible. Order is important.


> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320
> 80% 43200 reload-into-ims
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%
> 43200 reload-into-ims

>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Proxy not blocking websites

Amos Jeffries
Administrator
On 6/05/20 4:47 am, Arjun K wrote:
> Hi Amos
>
> Thanks for your response and suggestions and I will incorporate your
> inputs in the configuration.
> Please find the below contents of denylist as I am unable to attach as a
> document due to restrictions.
>
> .hotmail.com

The above is dstdomain wildcard syntax.

Below is dstdomain FQDN syntax.


> *.appex-rf.msn.com
> *.itunes.apple.com

The format is a series of domain segments/labels. They get exact-string
compared against the domain, starting at the TLD and working left.

A '.' at the start of the line means "all subdomain labels match".

See also the FAQ
<https://wiki.squid-cache.org/SquidFaq/SquidAcl#Squid_doesn.27t_match_my_subdomains>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid Proxy not blocking websites

Amos Jeffries
Administrator
On 6/05/20 10:20 pm, Arjun K wrote:
> Hi Amos
>
> Could you please share a sample configuration file containing allow and
> deny sites defined in a text file so that I can put the same format with
> my acls and validate in my environment.
>

I did in my earlier post. If you want more search the wiki for
"dstdomain" - it is used in a lot of examples.



> With respect to denylist format, can you let me know which format I
> should use for blocking in dstdomain
>
> .<website>.com     (or) 
> www.website.com <http://www.website.com>  (or )
> *. <website.com> 
>

If you are to manage Squid without someone else doing your work for you
every time, then you need to understand the config syntax.

The only think I can add that has not already been written is that you
consider the question:
  Have you ever seen a URL with "*" in the domain name?


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users