Squid Whitelist Issue



  • Hello,

    I am using Squid 2.7.9 pkg v.4.3.3 with SquidGuard 1.4_4 pkg v1.9.5 on an VMware ESXi test environment. I am having trouble getting anything in the Access Control list to work.

    For starters, I had trouble getting the proxy to work at all when I was specifying my subnet in the Allowed Subnets section. I had to check the option to allow all subnets connected to the interface in the General tab to get the proxy to work (Allow users on interface option). Shouldn't I be able to leave that unchecked and simply specify my subnet in the Access Control "Allowed Subnet" list? I listed the subnet as a CIDR range (172.16.123.0/24). I also tried 172.16.0.0/16. This one isn't too important as allowing all subnets using the LAN interface is fine with me, however eventually I may want to change this. It gives me the impression that something isn't working / setup properly.

    Second (This is the one that I'm worried about): I can't get the Whitelist to work in the Access Control section. For example, on my SquidGuard Filter I denied the category "blk_BL_finance_insurance". I then navigated to esurance.com and my block page came up (Great, the filter is working!). Next, I decided to leave finance insurance blocked, but whitelist esurance.com. This will be a common task one of our help desk technicians will perform if I end up setting this up in a production environment. After adding esurance.com to the whitelist I navigated to esurance.com and the page was still blocked. Interestingly enough, the favicon came through. So the whitelist worked for the favicon, but not the rest of the site. I thought maybe esurance.com was redirecting to some other domain, so I tried with another site. I blocked the category webmail, then navigated to hotmail.com and the site was blocked (Great! filter works again!). Next, I whitelisted hotmail.com and tried again. Again, the favicon came through, but the site was blocked again. I cleared my browser cache to be sure and tried adding multiple variances of the domain name to the whitelist as well (e.g. http://domain.com, www.domain.com, *.domain.com, etc). The same result was produced each time.

    Has anybody else come across this? One thing I noticed is that each of these sites forward you to an HTTPS site. I also noticed that the filter is not blocking ANY HTTPS sites. This is something I will need to work as well, but I haven't even started looking into that as I wanted to make sure I got the whitelist / blacklist to work properly first. I turned up the logging, and these are some of the logs I get from the proxy when navigating to these sites:

    2013/08/10 23:44:34| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
    2013/08/10 23:44:34| aclMatchIp: '172.16.123.14' found
    2013/08/10 23:44:34| aclMatchAclList: returning 1
    2013/08/10 23:44:34| aclCheck: checking 'http_reply_access allow all'
    2013/08/10 23:44:34| aclMatchAclList: checking all
    2013/08/10 23:44:34| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
    2013/08/10 23:44:34| aclMatchIp: '172.16.123.14' found
    2013/08/10 23:44:34| aclMatchAclList: returning 1
    2013/08/10 23:44:34| aclCheck: match found, returning 1
    2013/08/10 23:44:34| aclCheckCallback: answer=1
    2013/08/10 23:44:34| The reply for GET http://blocked.domain.net/block.php?url=403%20Blocked&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/ is ALLOWED, because it matched 'all'
    2013/08/10 23:44:35| aclCheckFast: list: 0x80122d898
    2013/08/10 23:44:35| aclMatchAclList: checking all
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
    2013/08/10 23:44:35| aclMatchIp: '172.16.123.14' found
    2013/08/10 23:44:35| aclMatchAclList: returning 1
    2013/08/10 23:44:35| aclCheck: checking 'http_access allow manager localhost'
    2013/08/10 23:44:35| aclMatchAclList: checking manager
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl manager proto cache_object'
    2013/08/10 23:44:35| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:35| aclCheck: checking 'http_access deny manager'
    2013/08/10 23:44:35| aclMatchAclList: checking manager
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl manager proto cache_object'
    2013/08/10 23:44:35| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:35| aclCheck: checking 'http_access allow purge localhost'
    2013/08/10 23:44:35| aclMatchAclList: checking purge
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl purge method PURGE'
    2013/08/10 23:44:35| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:35| aclCheck: checking 'http_access deny purge'
    2013/08/10 23:44:35| aclMatchAclList: checking purge
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl purge method PURGE'
    2013/08/10 23:44:35| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:35| aclCheck: checking 'http_access deny !safeports'
    2013/08/10 23:44:35| aclMatchAclList: checking !safeports
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 4435 3128 1025-65535 '
    2013/08/10 23:44:35| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:35| aclCheck: checking 'http_access deny CONNECT !sslports'
    2013/08/10 23:44:35| aclMatchAclList: checking connect
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl connect method CONNECT'
    2013/08/10 23:44:35| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:35| aclCheck: checking 'http_access allow localhost'
    2013/08/10 23:44:35| aclMatchAclList: checking localhost
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255'
    2013/08/10 23:44:35| aclMatchIp: '172.16.123.14' NOT found
    2013/08/10 23:44:35| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:35| aclCheck: checking 'http_access allow whitelist'
    2013/08/10 23:44:35| aclMatchAclList: checking whitelist
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"'
    2013/08/10 23:44:35| aclMatchRegex: checking 'hotmail.com'
    2013/08/10 23:44:35| aclMatchRegex: looking for 'esurance.com'
    2013/08/10 23:44:35| aclMatchRegex: looking for 'hotmail.com'
    2013/08/10 23:44:35| aclMatchRegex: match 'hotmail.com' found in 'hotmail.com'
    2013/08/10 23:44:35| aclMatchAclList: returning 1
    2013/08/10 23:44:35| aclCheck: match found, returning 1
    2013/08/10 23:44:35| aclCheckCallback: answer=1
    2013/08/10 23:44:35| The request GET http://hotmail.com/favicon.ico is ALLOWED, because it matched 'whitelist'
    2013/08/10 23:44:35| aclCheck: checking 'cache deny dynamic'
    2013/08/10 23:44:35| aclMatchAclList: checking dynamic
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl dynamic urlpath_regex cgi-bin \?'
    2013/08/10 23:44:35| aclMatchRegex: checking '/block.php?url=403 Blocked&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/favicon.ico&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/favicon.ico'
    2013/08/10 23:44:35| aclMatchRegex: looking for 'cgi-bin'
    2013/08/10 23:44:35| aclMatchRegex: looking for '\?'
    2013/08/10 23:44:35| aclMatchRegex: match '\?' found in '/block.php?url=403 Blocked&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/favicon.ico&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/favicon.ico'
    2013/08/10 23:44:35| aclMatchAclList: returning 1
    2013/08/10 23:44:35| aclCheck: match found, returning 0
    2013/08/10 23:44:35| aclCheckCallback: answer=0
    2013/08/10 23:44:35| aclCheckFast: list: 0x80122d998
    2013/08/10 23:44:35| aclMatchAclList: checking throttle_exts
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"'
    2013/08/10 23:44:35| aclMatchRegex: checking '/block.php?url=403 Blocked&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/favicon.ico&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/favicon.ico'
    2013/08/10 23:44:35| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:35| aclMatchAclList: checking all
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
    2013/08/10 23:44:35| aclMatchIp: '172.16.123.14' found
    2013/08/10 23:44:35| aclMatchAclList: returning 1
    2013/08/10 23:44:35| aclCheckFast: list: 0x0
    2013/08/10 23:44:35| aclCheckFast: no matches, returning: 1
    2013/08/10 23:44:35| aclCheckFast: list: 0x80122d418
    2013/08/10 23:44:35| aclMatchAclList: checking all
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
    2013/08/10 23:44:35| aclMatchIp: '172.16.123.14' found
    2013/08/10 23:44:35| aclMatchAclList: returning 1
    2013/08/10 23:44:35| aclCheck: checking 'http_reply_access allow all'
    2013/08/10 23:44:35| aclMatchAclList: checking all
    2013/08/10 23:44:35| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
    2013/08/10 23:44:35| aclMatchIp: '172.16.123.14' found
    2013/08/10 23:44:35| aclMatchAclList: returning 1
    2013/08/10 23:44:35| aclCheck: match found, returning 1
    2013/08/10 23:44:35| aclCheckCallback: answer=1
    2013/08/10 23:44:35| The reply for GET http://blocked.domain.net/block.php?url=403%20Blocked&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/favicon.ico&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_webmail&u=http://hotmail.com/favicon.ico is ALLOWED, because it matched 'all'
    2013/08/10 23:44:37| aclCheckFast: list: 0x80122d898
    2013/08/10 23:44:37| aclMatchAclList: checking all
    2013/08/10 23:44:37| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
    2013/08/10 23:44:37| aclMatchIp: '172.16.123.14' found
    2013/08/10 23:44:37| aclMatchAclList: returning 1
    2013/08/10 23:44:38| aclCheck: checking 'http_access allow manager localhost'
    2013/08/10 23:44:38| aclMatchAclList: checking manager
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl manager proto cache_object'
    2013/08/10 23:44:38| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:38| aclCheck: checking 'http_access deny manager'
    2013/08/10 23:44:38| aclMatchAclList: checking manager
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl manager proto cache_object'
    2013/08/10 23:44:38| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:38| aclCheck: checking 'http_access allow purge localhost'
    2013/08/10 23:44:38| aclMatchAclList: checking purge
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl purge method PURGE'
    2013/08/10 23:44:38| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:38| aclCheck: checking 'http_access deny purge'
    2013/08/10 23:44:38| aclMatchAclList: checking purge
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl purge method PURGE'
    2013/08/10 23:44:38| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:38| aclCheck: checking 'http_access deny !safeports'
    2013/08/10 23:44:38| aclMatchAclList: checking !safeports
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 4435 3128 1025-65535 '
    2013/08/10 23:44:38| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:38| aclCheck: checking 'http_access deny CONNECT !sslports'
    2013/08/10 23:44:38| aclMatchAclList: checking connect
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl connect method CONNECT'
    2013/08/10 23:44:38| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:38| aclCheck: checking 'http_access allow localhost'
    2013/08/10 23:44:38| aclMatchAclList: checking localhost
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255'
    2013/08/10 23:44:38| aclMatchIp: '172.16.123.14' NOT found
    2013/08/10 23:44:38| aclMatchAclList: no match, returning 0
    2013/08/10 23:44:38| aclCheck: checking 'http_access allow whitelist'
    2013/08/10 23:44:38| aclMatchAclList: checking whitelist
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"'
    2013/08/10 23:44:38| aclMatchRegex: checking 'esurance.com'
    2013/08/10 23:44:38| aclMatchRegex: looking for 'esurance.com'
    2013/08/10 23:44:38| aclMatchRegex: match 'esurance.com' found in 'esurance.com'
    2013/08/10 23:44:38| aclMatchAclList: returning 1
    2013/08/10 23:44:38| aclCheck: match found, returning 1
    2013/08/10 23:44:38| aclCheckCallback: answer=1
    2013/08/10 23:44:38| The request GET http://esurance.com/ is ALLOWED, because it matched 'whitelist'
    2013/08/10 23:44:38| aclCheck: checking 'cache deny dynamic'
    2013/08/10 23:44:38| aclMatchAclList: checking dynamic
    2013/08/10 23:44:38| aclMatchAcl: checking 'acl dynamic urlpath_regex cgi-bin \?'
    2013/08/10 23:44:38| aclMatchRegex: checking '/block.php?url=403 Blocked&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_finance_insurance&u=http://esurance.com/&a=172.16.123.14&n=&i=&s=TS_BLOCK_LIST&t=blk_BL_finance_insurance&u=http://esurance.com/'
    
    


  • Anybody? I started playing around with Untangle and finally got it working. I like it, but the block page is proving harder than I thought to customize. They want you to pay for branding, and the blockpage is over-written with each update to Untangle. I also tried moving to Squid 3 and Squid 3 dev for HTTPS filtering, but I couldn't even get the services to start. I didn't play around with it too much because I wasn't liking the idea of using beta software in production anyway, and I took the services not starting as a sign that I should move on to a stable solution.


Log in to reply