Re: [squid-users] squid with dansguardian from Stefano Malini on 2013-10-08 (squid-users)

From: Stefano Malini <stefano.malini_at_gmail.com>
Date: Wed, 9 Oct 2013 07:55:58 +0200

hi Dave,

so, i changed the line

http_access deny myLan

http_access deny myLan all.

but it's the same behavior. Squid doesn't stop.

In the logs file there is 127.0.0.1 for every http request, what does it mean?

2013/10/8 Dave Burkholder <dave_at_thinkwelldesigns.com>:
> There's no acl to deny in
>
> http_access deny myLan
>
>
> Try something like
>
> http_access deny myLan all
>
>
> Or you could try:
>
> acl fb dstdomain .facebook.com
> http_access deny mLan fb
>
> In your squid logs are you seeing the LAN IP address or 127.0.0.1 for every
> request? If the latter then you need the follow_x_forwarded_for that Amos
> mentioned.
>
> -Dave
>
>
>
>
> On 10/8/2013 2:13 AM, Stefano Malini wrote:
>>
>> Yes Dave,
>> in squid.conf i set
>> acl myLan src 192.168.1.0/24
>> and
>> http_access deny myLan
>>
>> to try if squid stops me but i can browse. I don't understand why
>>
>> My iptables rule:
>>
>> target prot opt source destination
>> REDIRECT tcp -- anywhere anywhere tcp
>> dpt:http redir ports 8080
>>
>> Dansguardian network config.
>>
>> # the port that DansGuardian listens to.
>> filterport = 8080
>>
>> # the ip of the proxy (default is the loopback - i.e. this server)
>> proxyip = 127.0.0.1
>>
>> # the port DansGuardian connects to proxy on
>> proxyport = 3128
>>
>> Squid
>>
>> acl myLan src 192.168.1.0/24
>> and
>> http_access deny myLan
>>
>> http_port 3128
>>
>> Dansguardian runs because it stops me browsing some blocked site! I
>> have to retry other times this evening.
>>
>>
>>
>> Amos thanks, I'll try this evening, i don't know that directive.
>>
>> 2013/10/8 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>
>>> On 8/10/2013 12:58 p.m., Dave Burkholder wrote:
>>>>
>>>> No squid is not bypassed. The order flow is:
>>>>
>>>> Browser -> Dansguardian -> Squid -> Internet
>>>>
>>>> If you're wanting to limit access via squid ACLs, that's another aspect
>>>> altogether.
>>>>
>>>> acl myLan src 10.0.4.0/24
>>>>
>>>> http_access deny myLan all
>>>>
>>>>
>>>> Do you have something like that in squid.conf?
>>>
>>>
>>> Don't forget the follow_x_forwarded_for to determine what the client on
>>> the
>>> other side of DG is.
>>>
>>> follow_x_forwarded_for allow localhost
>>> follow_x_forwarded_for deny all
>>>
>>>
>>> Amos
>
>
Received on Wed Oct 09 2013 - 05:56:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 09 2013 - 12:00:05 MDT