Squid Blocking Websites In Whitelist
-
Forgive me if this issue has been posted before but I have looked just about everywhere for a solution. I have Squid and LightSquid running on a pfSense box. Both are working just fine but I have run into a strange problem where Squid is blocking access to sites like lenovo.com, java.com (cannot download java updates) and miisoftware.com (cannot process user authentication). I have added these sites to /var/squid/acl/whitelist.acl but I still find myself unable to access these sites with the proxy running. Since we use Lenovo ThinkPads in house, we cannot get updates unless the proxy is shutdown. The same thing happens when we attempt to go to javadl.sun.com to download java or the register software from miisoftware.com. In fact, with the proxy running, I cannot run nslookup to even resolve lenovo.com & javadl.sun.com. I don't have this issue on the pfSense box at home because I'm not running Squid. This is baffling as you know what. Can anyone spot what I'm doing wrong here? Thanks in advance.
-
What version of pfSense and what version of Squid?
What message appears when Squid blocks those pages? Presumably you've added some blacklist with those sites or default blocked all pages?
-
I'm on pfSense version 1.2.3-Release. I installed the Squid package that was included which is Squid 2.7.Stable9. I do not have a blacklist setup because I hadn't decided on doing so. I was using Squid as a transparent proxy to cache and monitor web activity basically so I could see who the YouTube & Twitter hogs were on my network so to speak. Here's my squid.conf. It was generated when I installed Squid:
Do not edit manually !
http_port 10.5.1.1:3128
http_port 127.0.0.1:80 transparent
icp_port 0pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
icon_directory /usr/local/etc/squid/icons
visible_hostname apexgateway
cache_mgr it@xxxx.com
access_log /var/squid/log/access.log
cache_log /var/squid/log/cache.log
cache_store_log none
logfile_rotate 30
shutdown_lifetime 3 secondsAllow local network(s) on interface(s)
acl localnet src 10.5.1.0/255.255.255.0
uri_whitespace stripcache_mem 512 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /var/squid/cache 8000 16 256
minimum_object_size 0 KB
maximum_object_size 16 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
acl donotcache dstdomain "/var/squid/acl/donotcache.acl"
cache deny donotcacheNo redirector configured
Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535
acl sslports port 443 563
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin ?
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
cache deny dynamic
http_access allow manager localhostAnd here is the contents of my whitelist.acl file:
^http://www.lenovo.com
^http://www.java.com
^http://javadl.sun.com
^http://www.miisoftware.comThanks again.
-
Are all your systems on the 10.5.1.x/24 network? Do any of them route in from other networks?
Did you work through the documentation?
-
Have you edited the squid.conf manually? If so, this could be your problem. The squid.conf is built from squid.inc at service start. When you use the GUI, it writes to the squid.inc file. If you have clicked save in the GUI, it has likely overwritten your manual changes to squid.conf.
-
@Cry:
Are all your systems on the 10.5.1.x/24 network? Do any of them route in from other networks?
Did you work through the documentation?
Question One: Yes, Squid is only running on the site that has the 10.5.1.x/24 network. The pfSense box at my satellite office which is on another subnet is not running Squid.
Question Two: Yes, that's how I was able to get Squid up and running initially. It's definitely working but the whitelist.acl is being ignored. I literally have to shut Squid down to access these sites.