I think squid whitelist is being wrongly documented or badly configured



  • The whitelist is being configured as a dstdom_regex instead of just dstdomain.

    This means the whitelist should be documented as a regular expression string not an actual list of domains.

    If the intention is that it in fact be a simple list of domains then the directive should be change from dstdom_regex to dstdomain



  • I ask for support on the squid mailing list for the correct format for dstdom_regex.

    If you want to follow the squid thread can be found here:
    http://www.spinics.net/lists/squid/msg83682.html

    Instead of writing the simple domain as:

    
    .neodecksoftware.com
    

    Should be written as :

    
    ^(.*\.)?neodecksoftware\.com$
    

    There are other formats but this is a one liner statement.

    If you want to use dstdomain instead of dstdom_regex you need to do the following:
    1. create your whitelist file (ex. /var/squid/acl/preauth_sites.acl)
    2. enter the domains one per line as .domain.dom
    3. under squid General -> “Advanced Options” -> “Custom ACLs (Before Auth)” write:

    
    acl whitelistlist dstdomain "var/squid/acl/preauth_sites.acl"
    http_access allow whitelistlist
    
    

    4. save configuration

    I use the label whitelistlist so it wont conflict the label used for the ACLs Whitelist box, and the custom file preauth_sites.acl so it does not conflict with the one use in the same.

    If you use the whitelist box thinking that it uses dstdomain, it will work with many domains correctly but will fail in others, so I strongly suggest to use the procedure described in here.



  • I have not confirm this is also a problem with the blacklist box, but if you use it I strongly suggest to verify if this is also using dstdom_regex because it will fail to block your full list if used as dstdomain.



  • It’s not really described well (actually at all) but is working for me with default configuration in pfsense squid module:
    acl whitelist dstdom_regex -i “/var/squid/acl/whitelist.acl”

    It took me some time to figure it out.
    You need to uncheck option “Allow Users on Interface” on General tab and add your whitelist on ACL one.

    For testing I allowed only “.bbc.co.uk” so I placed in ACL Whitelist line:
    .bbc.co.uk

    and tested:
    $ curl -s -w “%{http_code}\n” -x http://192.168.221.190:3128 http://www.bbc.co.uk -o /dev/null
    301
    Access allowed.

    $ curl -s -w “%{http_code}\n” -x http://192.168.221.190:3128 http://www.bbc.com -o /dev/null
    403
    Access denied.



  • @monsoft:

    It’s not really described well (actually at all) but is working for me with default configuration in pfsense squid module:
    acl whitelist dstdom_regex -i “/var/squid/acl/whitelist.acl”

    It took me some time to figure it out.
    You need to uncheck option “Allow Users on Interface” on General tab and add your whitelist on ACL one.

    For testing I allowed only “.bbc.co.uk” so I placed in ACL Whitelist line:
    .bbc.co.uk

    and tested:
    $ curl -s -w “%{http_code}\n” -x http://192.168.221.190:3128 http://www.bbc.co.uk -o /dev/null
    301
    Access allowed.

    $ curl -s -w “%{http_code}\n” -x http://192.168.221.190:3128 http://www.bbc.com -o /dev/null
    403
    Access denied.

    Be careful with the list.  If you are using list style like:

    
    .bbc.co.uk
    .abc.com
    .nbc.com
    
    

    It will fail inadvertently because that style is for dstdomain directive which is not the one being used in the default whitelist box which in fact uses dstdom_regex.

    It work as a test because the regex may work for some items but eventually the regex wil not match correctly if the list format is not correct.



  • Yes I know that this is “dstdomain” format but for demonstration purpose it works.
    Correct format is something like this:
    (.).yahoo.com
    .
    .yahoo.com
    .yahoo.com

    To be honest I would prefer to have a choice in squid module implemented in pfsense which format of whitelist/blacklist will be used.
    On my linux squid boxes I use dstdomain everywhere.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy