deny_info

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

deny_info

Vieri
Hi,

I'm trying to figure out how to correctly handle ERROR pages (or deny pages) in one particular case.

An HTTP client is trying to access a website as https://example.org/.

I'm getting the following info in cache.log:

2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request GET https://example.org/ is ALLOWED; last ACL checked: bl_lookup
2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(721) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request GET https://example.org/ is ALLOWED; last ACL checked: bl_lookup
2017/11/14 09:11:11.591 kid1| 88,2| client_side_reply.cc(2073) processReplyAccessResult: The reply for GET https://example.org/ is DENIED, because it matched denied_restricted1_mimetypes_rep
2017/11/14 09:11:11.591 kid1| 88,2| client_side_reply.cc(2073) processReplyAccessResult: The reply for GET https://example.org/ is ALLOWED, because it matched denied_restricted1_mimetypes_rep

This is what I have in squid.conf (part of it):

external_acl_type bllookup ttl=86400 negative_ttl=86400 children-max=80 children-startup=10 children-idle=3 concurrency=8 %PROTO %DST %PORT %PATH /opt/custom/scripts/ext_sql_blwl_acl.pl --table=shallalist_bl --categories=adv,aggressive,alcohol,anonvpn,automobile_bikes,automobile_boats,automobie_cars,automobile_planes,chat,costtraps,dating,drugs,dynamic,finance_insurance,finance_moneylending,finance_other,finance_realestate,finance_trading,fortunetlling,forum,gamble,hacking,hobby_cooking,hobby_games-misc,hobby_games-online,hobby_gardening,hobby_pets,homestyle,imagehosting,isp,jobsearch,military,models,ovies,music,podcasts,politics,porn,radiotv,recreation_humor,recreation_martialarts,recreation_restaurants,recreation_sports,recreation_travel,recreation_welless,redirector,religion,remotecontrol,ringtones,science_astronomy,science_chemistry,sex_education,sex_lingerie,shopping,socialnet,spyware,tracker,updatesitesurlshortener,violence,warez,weapons,webphone,webradio,webtv
acl allowed_ips src "/opt/custom/proxy-settings/allowed.ips"
acl allowed_extra1_ips src "/opt/custom/proxy-settings/allowed.extra1.ips"
acl allowed_groups external nt_group "/opt/custom/proxy-settings/allowed.groups"
acl allowed_domains dstdomain "/opt/custom/proxy-settings/allowed.domains"
acl allowed_domains_filetypes dstdomain "/opt/custom/proxy-settings/allowed.domains.filetypes"
acl allowed_domains_mimetypes dstdomain "/opt/custom/proxy-settings/allowed.domains.mimetypes"
acl denied_domains dstdomain -i "/opt/custom/proxy-settings/denied.domains"
acl denied_extra1_domains dstdomain -i "/opt/custom/proxy-settings/denied.extra1.domains"
acl denied_ads url_regex "/opt/custom/proxy-settings/denied.ads"
acl denied_filetypes urlpath_regex -i "/opt/custom/proxy-settings/denied.filetypes"
acl denied_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes"
acl denied_extra1_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes"
acl denied_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes"
acl denied_extra1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes"
acl denied_restricted1_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
acl denied_restricted1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
acl allowed_restricted1_domains dstdomain -i "/opt/custom/proxy-settings/allowed.restricted1.domains"
acl allowed_restricted1_ips dst "/opt/custom/proxy-settings/allowed.restricted1.ips"
acl restricted_ips src "/opt/custom/proxy-settings/restricted.ips"
acl restricted_groups external nt_group "/opt/custom/proxy-settings/restricted.groups"
acl restricted_domains dstdomain "/opt/custom/proxy-settings/restricted.domains"
acl bl_lookup external bllookup
acl denied_urlshorteners dstdomain -i "/opt/custom/proxy-settings/db/HMANshallalist/urlshortener/domains"

http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet

http_access allow localnet !restricted_ips allowed_domains
http_access allow localnet !restricted_ips allowed_ips
http_reply_access allow localnet !restricted_ips allowed_ips
http_reply_access allow localnet !restricted_ips allowed_domains
http_access allow restricted_ips restricted_domains
http_access deny restricted_ips

http_access deny !allowed_ips denied_urlshorteners
http_access deny CONNECT !allowed_ips denied_urlshorteners
deny_info <a href="http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_urlshorteners">http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_urlshorteners denied_urlshorteners

http_access allow denied_restricted1_mimetypes_req allowed_restricted1_domains
http_access allow denied_restricted1_mimetypes_req allowed_restricted1_ips
http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_domains
http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_ips

http_access allow denied_extra1_mimetypes_req allowed_extra1_ips denied_extra1_domains
http_reply_access allow denied_extra1_mimetypes_rep allowed_extra1_ips denied_extra1_domains

http_access deny denied_restricted1_mimetypes_req
http_reply_access deny denied_restricted1_mimetypes_rep

http_access deny denied_extra1_mimetypes_req
http_reply_access deny denied_extra1_mimetypes_rep

http_access deny !allowed_ips denied_domains
http_access deny CONNECT !allowed_ips denied_domains
deny_info <a href="http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_domains">http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_domains denied_domains

http_access allow allowed_extra1_ips denied_extra1_domains
http_access deny denied_extra1_domains
deny_info <a href="http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_extra1_domains">http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_extra1_domains denied_extra1_domains

http_access deny denied_filetypes !allowed_domains_filetypes
http_reply_access deny denied_filetypes !allowed_domains_filetypes
deny_info <a href="http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_filetypes">http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_filetypes denied_filetypes

http_access deny denied_mimetypes_req !allowed_domains_mimetypes
http_reply_access deny denied_mimetypes_rep !allowed_domains_mimetypes
deny_info <a href="http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes">http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_mimetypes_req
deny_info <a href="http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes">http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_mimetypes_rep

http_access allow localnet bl_lookup

----

I understand Squid accepts the REQUEST, but not the REPLY as it matches denied_restricted1_mimetypes_rep. However, I don't understand why the client browser doesn't display the deny_info page at <a href="http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes">http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes. Instead, it shows ERR_ACCESS_DENIED.

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info

Amos Jeffries
Administrator
On 14/11/17 22:46, Vieri wrote:

> Hi,
>
> I'm trying to figure out how to correctly handle ERROR pages (or deny pages) in one particular case.
>
> An HTTP client is trying to access a website as https://example.org/.
>
> I'm getting the following info in cache.log:
>
> 2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request GET https://example.org/ is ALLOWED; last ACL checked: bl_lookup
> 2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(721) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
> 2017/11/14 09:11:11.481 kid1| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request GET https://example.org/ is ALLOWED; last ACL checked: bl_lookup
> 2017/11/14 09:11:11.591 kid1| 88,2| client_side_reply.cc(2073) processReplyAccessResult: The reply for GET https://example.org/ is DENIED, because it matched denied_restricted1_mimetypes_rep
> 2017/11/14 09:11:11.591 kid1| 88,2| client_side_reply.cc(2073) processReplyAccessResult: The reply for GET https://example.org/ is ALLOWED, because it matched denied_restricted1_mimetypes_rep
>
> This is what I have in squid.conf (part of it):
>
...
> acl denied_restricted1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
...
> http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_domains
> http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_ips
>
...
> http_reply_access deny denied_restricted1_mimetypes_rep
>
...
>
> ----
>
> I understand Squid accepts the REQUEST, but not the REPLY as it matches denied_restricted1_mimetypes_rep. However, I don't understand why the client browser doesn't display the deny_info page at <a href="http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes">http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes. Instead, it shows ERR_ACCESS_DENIED.


Because there are actually no custom deny_info attached to that
"denied_restricted1_mimetypes_rep" ACL.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info

Vieri
________________________________
From: Amos Jeffries <[hidden email]>
>
> Because there are actually no custom deny_info attached to that
> "denied_restricted1_mimetypes_rep" ACL.


Right. I don't know how I missed that. Sorry.

Thanks again.

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info

Alex Rousskov
On 11/16/2017 12:52 AM, Vieri wrote:
> From: Amos Jeffries <[hidden email]>
>> Because there are actually no custom deny_info attached to that
>> "denied_restricted1_mimetypes_rep" ACL.


> Right. I don't know how I missed that. Sorry.


FWIW, I recommend avoiding "denied", "allowed", and similar prefixes in
ACL names because these prefixes clash with directive actions. ACLs
(names should) characterize transactions, not actions that Squid should
apply to those transactions. Polishing your names may simplify your
configuration, which may help avoid misconfiguration and/or confusion like

    http_access allow denied_foo

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users