Re: [squid-users] Block HTTPS website

From: Malvin Rito <mrito_at_mail.altcladding.com.ph>
Date: Fri, 20 May 2011 17:54:11 +0800

Here is my config:

acl lan src 122.3.237.66 172.16.9.0/24 # Define LAN internet
#acl lan src 172.16.18.2 172.16.0.0/16

#acl RestrictedHost_jobs src 172.16.9.80
#acl RestrictedHost_jack src 172.16.9.119
#acl RestrictedHost_esmie src 172.16.9.252
#acl RestrictedHost_grover src 172.16.9.109
#acl RestrictedHost_jay src 172.16.9.111

# Allow projectpoint.buzzsaw.com for DESIGN DEPARTMENT
acl BROWSING_PORT port 80
acl ALLOWED_SITE dstdomain projectpoint.buzzsaw.com

#Joy Team
acl RestrictedHost_jcpinto src 172.16.9.82
acl RestrictedHost_mmvillar src 172.16.9.86
acl RestrictedHost_djcarino src 172.16.9.116

#nINETH Team
acl RestrictedHost_ebinay src 172.16.9.85

#Thes Team
#acl RestrictedHost_aaquino src 172.16.9.90
acl RestrictedHost_rbasa src 172.16.9.91
acl RestrictedHost_jbadong src 172.16.9.81
acl RestrictedHost_dbalino src 172.16.9.104
#acl RestrictedHost_rfrancisco src 172.16.9.115

#Richard A. Team
#acl RestrictedHost_raraw src 172.16.9.101
acl RestrictedHost_lmusni src 172.16.9.35
acl RestrictedHost_mmendoza src 172.16.9.100

#Jhun Team
acl RestrictedHost_jcruzado src 172.16.9.119
acl RestrictedHost_glustre src 172.16.9.109
acl RestrictedHost_jrmaganis src 172.16.9.111
acl RestrictedHost_earellano src 172.16.9.252
acl RestrictedHost_jmprimicias src 172.16.9.80

#Ranel Team
acl RestrictedHost_jbautista src 172.16.9.114
acl RestrictedHost_jlmallari src 172.16.9.117
acl RestrictedHost_dcuna src 172.16.9.118

#Marge Team
acl RestrictedHost_vescolano src 172.16.9.92
#acl RestrictedHost_eselda src 172.16.9.87

#Allow certain Host on denied site
acl NO_RESTRICTIONS src 172.16.9.52
acl NO_RESTRICTIONS src 172.16.9.121
acl NO_RESTRICTIONS src 172.16.9.199
acl NO_RESTRICTIONS src 172.16.9.106
acl NO_RESTRICTIONS src 172.16.9.122
acl NO_RESTRICTIONS src 172.16.9.100
acl NO_RESTRICTIONS src 172.16.9.244
acl NO_RESTRICTIONS src 172.16.9.241
acl NO_RESTRICTIONS src 172.16.9.239
acl NO_RESTRICTIONS src 172.16.9.19 # IP Address assigned to
DANCE-MOTION.NET Wifi

# unblock some sites during launch time
acl LUNCHTIME time MTWHFSA 12:01-13:00
acl OFFICEHOUR1 time MTWHFSA 13:01-23:59
acl OFFICEHOUR2 time MTWHFSA 00:01-12:00

no_cache deny all
acl whitelist dstdomain "/etc/squid/whitelist.acl"

#Block Files not allowed for downloading such as EXE, mp3, avi,
COM,MPG,MP4, MSI, etc.
acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
deny_info ERR_BLOCKED_FILES blockfiles

#Block Restricted Websites by Domain Name
acl BadSites dstdomain "/etc/squid/restricted-sites.acl"
deny_info ERR_BLOCKED_SITES BadSites

#Block Restricted Websites by URL keyword
acl BlockSite_ByKeyword url_regex -i
"/etc/squid/restricted-site-keyword.acl"
deny_info ERR_BLOCKED_SITES BlockSite_ByKeyword

#Block Restricted Websites by IP Address
acl BadSitesIP dstdomain "/etc/squid/restricted-IPaddress.acl"
deny_info ERR_BLOCKED_SITES BadSitesIP

# HTTPS Sites
#acl restricted_HTTPS_sites dstdom_regex -i facebook.com

http_access allow whitelist
http_access deny blockfiles !NO_RESTRICTIONS
http_access deny BadSites OFFICEHOUR1 !NO_RESTRICTIONS
http_access deny BadSites OFFICEHOUR2 !NO_RESTRICTIONS
#http_access deny restricted_HTTPS_sites OFFICEHOUR1
#http_access deny restricted_HTTPS_sites OFFICEHOUR2
http_access allow BadSites LUNCHTIME !NO_RESTRICTIONS
http_access deny BadSitesIP !NO_RESTRICTIONS
http_access deny BlockSite_ByKeyword !NO_RESTRICTIONS

#http_access deny RestrictedHost_jobs
#http_access deny RestrictedHost_jack
#http_access deny RestrictedHost_esmie
#http_access deny RestrictedHost_grover

#Joy Team
http_access deny RestrictedHost_jcpinto
http_access deny RestrictedHost_mmvillar

#Nineth Team
http_access deny RestrictedHost_ebinay
#http_access deny RestrictedHost_eselda
http_access deny RestrictedHost_djcarino

#Thes Team
#http_access deny RestrictedHost_aaquino
http_access deny RestrictedHost_rbasa
http_access deny RestrictedHost_jbadong
http_access deny RestrictedHost_dbalino

#Raul Team
#http_access deny RestrictedHost_raraw
http_access deny RestrictedHost_lmusni
http_access deny RestrictedHost_mmendoza

#Jhun Team
http_access deny RestrictedHost_jcruzado
http_access deny RestrictedHost_glustre
http_access deny RestrictedHost_jrmaganis
http_access deny RestrictedHost_earellano
http_access deny RestrictedHost_jmprimicias

#Ranel Team
http_access deny RestrictedHost_jbautista
#http_access deny RestrictedHost_rfrancisco
http_access deny RestrictedHost_jlmallari
http_access deny RestrictedHost_dcuna

#Marge Team
http_access deny RestrictedHost_vescolano

# --------END OF ALT CLADDING, INC. ACL
DEFINITION-------------------------------------------

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl TOR_PORT1 port 9001
acl TOR_PORT2 port 9030
acl TOR_PORT3 port 9051

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny TOR_PORT1
http_access deny TOR_PORT2
http_access deny TOR_PORT3
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet

# And finally deny all other access to this proxy

# -----------------------------
# DEFINED FOR ALT CLADDING
http_access allow localhost
http_access allow lan
# -----------------------------

http_access deny all

On 5/20/2011 5:21 PM, Amos Jeffries wrote:
> On 20/05/11 21:07, Malvin Rito wrote:
>> Hi Jason,
>>
>> I tried it but only block sites using http not https on the URL.
>
> You keep failing to say what your config actually is. Only that the
> one way we know *does* work is not working for you. So we cannot
> really help.
>
> Details please.
>
>>
>> Regards,
>> Malvin
>>
>> On 5/20/2011 4:48 PM, Jason Doran wrote:
>>> Hi Malvin.
>>> we are blocking facebook here with dstdom_regex:
>>>
>>> acl my-desktop src 10.10.10.10/32
>>> acl facebook dstdom_regex -i facebook.com
>
> lol. Visit this URL:
>
> http://ffacefaceafacebookfacecfacegebookwfacebookacomacomwwoof.example.com/
>
>
> go ahead, try it.
>
> A working facebook block will display a pages explaining that
> example.com is reserved by IANA.
>
> Hint: use dstdomain to match domain names.
> dstdom_regex is only very useful when fighting random patterned or
> multi-TLD domains.
>
> Amos
Received on Fri May 20 2011 - 09:56:03 MDT

This archive was generated by hypermail 2.2.0 : Fri May 20 2011 - 12:00:03 MDT