[buug] squid

James Howard jim at calico.homeip.net
Tue Oct 14 12:25:20 PDT 2003


John,

The default squid.conf file is very well commented. Check out the tagged
acl section for the conventions allowed for host specification. Note, IP's
and networks need to specified with subnet mask (either long or short form 
will do). If a domain name is instead given, it will be resolved by 
reverse lookup.

src and srcdomain refer to the client which makes the url request to the 
proxy server. dst and dstdomain refer to the url request itself.

acl myNet src 192.168.165.0
> fix this by adding subnet mask
acl badlist dstdomain jjdev.com
> needs leading dot assuming jjdev.com is many hosts
acl badIPs dst 66.74.136.240
> needs subnet mask

acls can be additive...

acl badguys dstdomain .doubleclick.com
acl badguys dstdomain .fastclick.com
acl badguys dst       192.168.1.0/24

all specify what "badguys" matches.

As for access...

http_access deny badlist
> request for url's specified in badlist will not be served, regardless 
of where they come from.
http_access deny badIPs
> same here.
http_access allow myNet
> allow requests from my net
http_access deny all
> deny everything that hasn't been matched...

On that last note, realize that access works on a first match basis. Once 
a match is found, we exit the chain.

-Jim

On Tue, 14 Oct 2003, johnd wrote:

> anyone familiar with squid?  I am having a hard time understanding
> how to configure it.
> 
> for one thing
> 
> the online docs say:
> ------------------------
> Example 6-8. Filtering out unwanted destination sites
> 
> acl badDomains dstdomain adomain.example
> acl badIPs dst 10.255.1.2
> http_access deny badlist
> http_access deny badIPs
> http_access allow myNet
> http_access deny all
> 
> 
> ------------------------
> 
> this seems to be a typo.  badlist is undefined.
> 
> I changed badDomains to badlist and it works...just makes me wonder.
> 
> 
> my goal is to have it so I have a list of domains that squid will proxy to
> 
> I guess I'm not understanding what a ACL is all about.
> 
> I was able to put this at the end of the default file:
> 
> acl myNet src 192.168.165.0
> acl badlist dstdomain jjdev.com
> acl badIPs dst 66.74.136.240
> http_access deny badlist
> http_access deny badIPs
> http_access allow myNet
> http_access deny all
>                         
> 
> it does the opposite of what I want kind of...It only filters domains listed.
> 
> I want to filter all and only allow listed domains.
> 
> I thought I could just flip it around to:
> 
> like allow badlist and badIPs (I'd probably change the name to good) and denyall
> 
> but it doesn't work...any ideas?
> 
> 
> 




More information about the buug mailing list