From: Huzeyfe Onal (huzeyfe.onal@gmail.com)
Date: Fri 23 Sep 2005 - 11:43:48 EEST
merhaba,
kisitlamarlarda oncelik hatasi yapmissiniz.
http_access allow all satiri bundan sonra yazdiginiz diger kurallarin
calismasini engelliyor. Squid'deki acl calisma mantigi yukaridan
asagiya dogrudur yani ilk uyan kurallar calisir. Sizin kurallarinizda
da once herkese izin vermissiniz sonra bazilarina yasaklama
yapmissiniz. Yapilmasi gereken izin vereceginiz oncelikli kurallari
uste , genel kurallari daha alta yazmaktir. Yani once
http_access deny porn all
http_access allow noporno all
http_access allow torpilli all
..
yazip sonra
http_access allow all ..
23.09.2005 tarihinde ismail kayakyran <ismail@sistemdanismani.tr.tc> yazmış:
>
>
>
> -----
>
>
>
> Mrb. Arkadaşlar bir sorunum var yardımcı olursanız sevinirim.squid conf
> dosyamın bi kısmı aşağıda ama nedense black listleri görmüyor dosyaları
> doğru dizin alına koydum.
>
> ama en basit denemek için google black liste aldım olmadı :( blacklist
> kelimelerini algılamadı nerde yanlış yapıyorum suse9.3 kurulu.
>
> birde linux makinaya iki tane ethernet kartı takmam gereklimi .
>
> internete çıkacak 10 makina çin . eğer iki ethernet kartı takarsam
> yönlendrmemmi yapmam gerekli.
>
> topkapı sarayı internet güvenlik makinası için yapmaya çalışıyorum yardımcı
> olursanız seviniim..
>
>
>
> # WELCOME TO SQUID 2
>
> # ------------------
>
> #
>
> # This is the default Squid configuration file. You may wish
>
> # to look at the Squid home page (http://www.squid-cache.org/)
>
> # for the FAQ and other documentation.
>
> #
>
> # The default Squid config file shows what the defaults for
>
> # various options happen to be. If you don't need to change the
>
> # default, you shouldn't uncomment the line. Doing so may cause
>
> # run-time problems. In some cases "none" refers to no default
>
> # setting at all, while in other cases it refers to a valid
>
> # option - the comments for that keyword indicate if this is the
>
> # case.
>
> #
>
>
>
> # NETWORK OPTIONS
>
> #
> -----------------------------------------------------------------------------
>
> # TAG: http_port
>
> # Usage: port
>
> # hostname:port
>
> # 1.2.3.4:port
>
> #
>
> # The socket addresses where Squid will listen for HTTP client
>
> # requests. You may specify multiple socket addresses.
>
> # There are three forms: port alone, hostname with port, and
>
> # IP address with port. If you specify a hostname or IP
>
> # address, Squid binds the socket to that specific
>
> # address. This replaces the old 'tcp_incoming_address'
>
> # option. Most likely, you do not need to bind to a specific
>
> # address, so you can use the port number alone.
>
> #
>
> # The default port number is 3128.
>
> #
>
> # If you are running Squid in accelerator mode, you
>
> # probably want to listen on port 80 also, or instead.
>
> #
>
> # The -a command line option will override the *first* port
>
> # number listed here. That option will NOT override an IP
>
> # address, however.
>
> #
>
> # You may specify multiple socket addresses on multiple lines.
>
> #
>
> # If you run Squid on a dual-homed machine with an internal
>
> # and an external interface we recommend you to specify the
>
> # internal address:port in http_port. This way Squid will only be
>
> # visible on the internal address.
>
> #
>
> #Default:
>
> http_port 192.168.0.200 3128 8080
>
> # TAG: https_port
>
> # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
>
> #
>
> # auth_param ntlm children 5
>
> ## Default is 6 hours (360 minutes). This directive must be set
>
> # larger than negative_dns_ttl.
>
> #
>
> ## ACCESS CONTROLS
>
> #
> -----------------------------------------------------------------------------
>
> # TAG: acl
>
> # Defining an Access List
>
> #
>
> # acl aclname acltype string1 ...
>
> # acl aclname acltype "file" ...
>
> #
>
> # when using "file", the file should contain one item per line
>
> #
>
> # acltype is one of the types described below
>
> #
>
> # By default, regular expressions are CASE-SENSITIVE. To make
>
> # them case-insensitive, use the -i option.
>
> #
>
> # acl aclname src ip-address/netmask ... (clients IP address)
>
> # acl aclname src addr1-addr2/netmask ... (range of addresses)
>
> # acl aclname dst ip-address/netmask ... (URL host's IP address)
>
> # acl aclname myip ip-address/netmask ... (local socket IP address)
>
> #
>
> # acl aclname srcdomain .foo.com ... # reverse lookup, client IP
>
> # acl aclname dstdomain .foo.com ... # Destination server from URL
>
> # acl aclname srcdom_regex [-i] xxx ... # regex matching client name
>
> # acl aclname dstdom_regex [-i] xxx ... # regex matching server
>
> # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
>
> # # based URL is used. The name "none" is used if the reverse lookup
>
> # # fails.
>
> #
>
> # acl aclname time [day-abbrevs] [h1:m1-h2:m2]
>
> # day-abbrevs:
>
> # S - Sunday
>
> # M - Monday
>
> # T - Tuesday
>
> # W - Wednesday
>
> # H - Thursday
>
> # F - Friday
>
> # A - Saturday
>
> # h1:m1 must be less than h2:m2
>
> # acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
>
> # acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
>
> # acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login
> field
>
> # acl aclname port 80 70 21 ...
>
> # acl aclname port 0-1024 ... # ranges allowed
>
> # acl aclname myport 3128 ... # (local socket TCP port)
>
> # acl aclname proto HTTP FTP ...
>
> # acl aclname method GET POST ...
>
> # acl aclname browser [-i] regexp ...
>
> # # pattern match on User-Agent header (see also req_header below)
>
> # acl aclname referer_regex [-i] regexp ...
>
> # # pattern match on Referer header
>
> # # Referer is highly unreliable, so use with care
>
> # acl aclname ident username ...
>
> # acl aclname ident_regex [-i] pattern ...
>
> # # string match on ident output.
>
> # # use REQUIRED to accept any non-null ident.
>
> # acl aclname src_as number ...
>
> # acl aclname dst_as number ...
>
> # # Except for access control, AS numbers can be used for
>
> # # routing of requests to specific caches. Here's an
>
> # # example for routing all requests for AS#1241 and only
>
> # # those to mycache.mydomain.net:
>
> # # acl asexample dst_as 1241
>
> # # cache_peer_access mycache.mydomain.net allow asexample
>
> # # cache_peer_access mycache_mydomain.net deny all
>
> #
>
> # acl aclname proxy_auth username ...
>
> # acl aclname proxy_auth_regex [-i] pattern ...
>
> # # list of valid usernames
>
> # # use REQUIRED to accept any valid username.
>
> # #
>
> # # NOTE: when a Proxy-Authentication header is sent but it is not
>
> # # needed during ACL checking the username is NOT logged
>
> # # in access.log.
>
> # #
>
> # # NOTE: proxy_auth requires a EXTERNAL authentication program
>
> # # to check username/password combinations (see
>
> # # auth_param directive).
>
> # #
>
> # # WARNING: proxy_auth can't be used in a transparent proxy. It
>
> # # collides with any authentication done by origin servers. It may
>
> # # seem like it works at first, but it doesn't.
>
> #
>
> # acl aclname snmp_community string ...
>
> # # A community string to limit access to your SNMP Agent
>
> # # Example:
>
> # #
>
> # # acl snmppublic snmp_community public
>
> #
>
> # acl aclname maxconn number
>
> # # This will be matched when the client's IP address has
>
> # # more than <number> HTTP connections established.
>
> #
>
> # acl aclname max_user_ip [-s] number
>
> # # This will be matched when the user attempts to log in from more
>
> # # than <number> different ip addresses. The authenticate_ip_ttl
>
> # # parameter controls the timeout on the ip entries.
>
> # # If -s is specified the limit is strict, denying browsing
>
> # # from any further IP addresses until the ttl has expired. Without
>
> # # -s Squid will just annoy the user by "randomly" denying requests.
>
> # # (the counter is reset each time the limit is reached and a
>
> # # request is denied)
>
> # # NOTE: in acceleration mode or where there is mesh of child proxies,
>
> # # clients may appear to come from multiple addresses if they are
>
> # # going through proxy farms, so a limit of 1 may cause user problems.
>
> #
>
> # acl aclname req_mime_type mime-type1 ...
>
> # # regex match against the mime type of the request generated
>
> # # by the client. Can be used to detect file upload or some
>
> # # types HTTP tunelling requests.
>
> # # NOTE: This does NOT match the reply. You cannot use this
>
> # # to match the returned file type.
>
> #
>
> # acl aclname req_header header-name [-i] any\.regex\.here
>
> # # regex match against any of the known request headers. May be
>
> # # thought of as a superset of "browser", "referer" and "mime-type"
>
> # # acls.
>
> #
>
> # acl aclname rep_mime_type mime-type1 ...
>
> # # regex match against the mime type of the reply recieved by
>
> # # squid. Can be used to detect file download or some
>
> # # types HTTP tunelling requests.
>
> # # NOTE: This has no effect in http_access rules. It only has
>
> # # effect in rules that affect the reply data stream such as
>
> # # http_reply_access.
>
> #
>
> # acl aclname rep_header header-name [-i] any\.regex\.here
>
> # # regex match against any of the known response headers.
>
> # # Example:
>
> # #
>
> # # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
>
> #
>
> # acl acl_name external class_name [arguments...]
>
> # # external ACL lookup via a helper class defined by the
>
> # # external_acl_type directive.
>
> #
>
> #Examples:
>
> #acl myexample dst_as 1241
>
> #acl password proxy_auth REQUIRED
>
> #acl fileupload req_mime_type -i ^multipart/form-data$
>
> #acl javascript rep_mime_type -i ^application/x-javascript$
>
> #
>
> #Recommended minimum configuration:
>
> acl all src 0.0.0.0/0.0.0.0
>
> acl manager proto cache_object
>
> acl localhost src 127.0.0.1/255.255.255.255
>
> acl to_localhost dst 127.0.0.0/8
>
> acl SSL_ports port 443 563
>
> acl Safe_ports port 80 # http
>
> acl Safe_ports port 21 # ftp
>
> acl Safe_ports port 443 563 # https, snews
>
> acl Safe_ports port 70 # gopher
>
> acl Safe_ports port 210 # wais
>
> acl Safe_ports port 1025-65535 # unregistered ports
>
> acl Safe_ports port 280 # http-mgmt
>
> acl Safe_ports port 488 # gss-http
>
> acl Safe_ports port 591 # filemaker
>
> acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
>
> # TAG: http_access
>
> # Allowing or Denying access based on defined access lists
>
> #
>
> # Access to the HTTP port:
>
> # http_access allow|deny [!]aclname ...
>
> #
>
> # NOTE on default values:
>
> #
>
> # If there are no "access" lines present, the default is to deny
>
> # the request.
>
> #
>
> # If none of the "access" lines cause a match, the default is the
>
> # opposite of the last line in the list. If the last line was
>
> # deny, the default is allow. Conversely, if the last line
>
> # is allow, the default will be deny. For these reasons, it is a
>
> # good idea to have an "deny all" or "allow all" entry at the end
>
> # of your access lists to avoid potential confusion.
>
> #
>
> #Default:
>
> http_access allow all
>
> #
>
> #Recommended minimum configuration:
>
> #
>
> # Only allow cachemgr access from localhost
>
> http_access allow manager localhost
>
> http_access allow manager
>
> # Deny requests to unknown ports
>
> http_access allow !Safe_ports
>
> # Deny CONNECT to other than SSL ports
>
> http_access allow CONNECT !SSL_ports
>
> #
>
> # We strongly recommend the following be uncommented to protect innocent
>
> # web applications running on the proxy server who think the only
>
> # one who can access services on "localhost" is a local user
>
> #http_access deny to_localhost
>
> #
>
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>
> # Example rule allowing access from your local networks. Adapt
>
> # to list your (internal) IP networks from where browsing should
>
> # be allowed
>
> acl our_networks src 192.168.1.0/24
>
> http_access allow our_networks
>
> http_access allow localhost
>
> # And finally deny all other access to this proxy
>
> http_access allow all
>
> # TAG: http_reply_access
>
> # Allow replies to client requests. This is complementary to http_access.
>
> #
>
> # http_reply_access allow|deny [!] aclname ...
>
> #
>
> # NOTE: if there are no access lines present, the default is to allow
>
> # all replies
>
> #
>
> # If none of the access lines cause a match the opposite of the
>
> # last line will apply. Thus it is good practice to end the rules
>
> # with an "allow all" or "deny all" entry.
>
> #
>
> #Default:
>
> # http_reply_access allow all
>
> #
>
> #Recommended minimum configuration:
>
> #
>
> # Insert your own rules here.
>
>
>
>
>
> acl porn url_regex "/etc/squid/porn.txt"
>
> acl noporno url_regex "/etc/squid/noporn.txt"
>
> acl torpilli src "/etc/squid/torpilli.txt"
>
>
>
> # ismail acl list
>
> http_access deny porn all
>
> http_access allow noporno all
>
> http_access allow torpilli all
>
>
> _______________________________________________
> Linux-ag mailing list
> Linux-ag@liste.linux.org.tr
> http://liste.linux.org.tr/mailman/listinfo/linux-ag
>
>
>
-- Huzeyfe ÖNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/
_______________________________________________
Linux-ag mailing list
Linux-ag@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-ag