Squid Blocking Websites In Whitelist



  • Forgive me if this issue has been posted before but I have looked just about everywhere for a solution. I have Squid and LightSquid running on a pfSense box. Both are working just fine but I have run into a strange problem where Squid is blocking access to sites like lenovo.com, java.com (cannot download java updates) and miisoftware.com (cannot process user authentication). I have added these sites to /var/squid/acl/whitelist.acl but I still find myself unable to access these sites with the proxy running. Since we use Lenovo ThinkPads in house, we cannot get updates unless the proxy is shutdown. The same thing happens when we attempt to go to javadl.sun.com to download java or the register software from miisoftware.com. In fact, with the proxy running, I cannot run nslookup to even resolve lenovo.com & javadl.sun.com. I don't have this issue on the pfSense box at home because I'm not running Squid. This is baffling as you know what. Can anyone spot what I'm doing wrong here? Thanks in advance.



  • What version of pfSense and what version of Squid?

    What message appears when Squid blocks those pages?  Presumably you've added some blacklist with those sites or default blocked all pages?



  • I'm on pfSense version 1.2.3-Release. I installed the Squid package that was included which is Squid 2.7.Stable9. I do not have a blacklist setup because I hadn't decided on doing so. I was using Squid as a transparent proxy to cache and monitor web activity basically so I could see who the YouTube & Twitter hogs were on my network so to speak. Here's my squid.conf. It was generated when I installed Squid:

    Do not edit manually !

    http_port 10.5.1.1:3128
    http_port 127.0.0.1:80 transparent
    icp_port 0

    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    icon_directory /usr/local/etc/squid/icons
    visible_hostname apexgateway
    cache_mgr it@xxxx.com
    access_log /var/squid/log/access.log
    cache_log /var/squid/log/cache.log
    cache_store_log none
    logfile_rotate 30
    shutdown_lifetime 3 seconds

    Allow local network(s) on interface(s)

    acl localnet src  10.5.1.0/255.255.255.0
    uri_whitespace strip

    cache_mem 512 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir aufs /var/squid/cache 8000 16 256
    minimum_object_size 0 KB
    maximum_object_size 16 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
    cache deny donotcache

    No redirector configured

    Setup some default acls

    acl all src 0.0.0.0/0.0.0.0
    acl localhost src 127.0.0.1/255.255.255.255
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535
    acl sslports port 443 563
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin ?
    acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
    cache deny dynamic
    http_access allow manager localhost

    And here is the contents of my whitelist.acl file:

    ^http://www.lenovo.com
    ^http://www.java.com
    ^http://javadl.sun.com
    ^http://www.miisoftware.com

    Thanks again.



  • Are all your systems on the 10.5.1.x/24 network?  Do any of them route in from other networks?

    Did you work through the documentation?



  • Have you edited the squid.conf manually?  If so, this could be your problem.  The squid.conf is built from squid.inc at service start.  When you use the GUI, it writes to the squid.inc file.  If you have clicked save in the GUI, it has likely overwritten your manual changes to squid.conf.



  • @Cry:

    Are all your systems on the 10.5.1.x/24 network?  Do any of them route in from other networks?

    Did you work through the documentation?

    Question One: Yes, Squid is only running on the site that has the 10.5.1.x/24 network. The pfSense box at my satellite office which is on another subnet is not running Squid.

    Question Two: Yes, that's how I was able to get Squid up and running initially. It's definitely working but the whitelist.acl is being ignored. I literally have to shut Squid down to access these sites.


Locked