It's good to hear someone can crack their problems. If I read correctly, having all the public_rooms rules in caused problems.. a question, did you have http_access allow public_rooms commented or 'alive' at the time? It could be that it needs to be there active to allow correct access at other times. And did you still have a http_access allow ALL (Or whatever it is that normally allows access.. can't recall of top of head) ?? As to my problems, they are still not resolved.. and I intend to get to the bottom of it on a weekend, stripping the squid.conf to bare bones til I see what's specifically causing a problem.. so expect me to come seeking help when I do :) Thanks however for your success story that gives me faith :) --Azrael
From: "npauli"
To: Subject: [suse-linux-uk-schools] A happy Squid story Date: Tue, 23 Jan 2001 21:48:03 -0000 I don't know if Azrael has resolved his acl problems but I've just done something vaguely similar and so far, touch wood, it seems to be working (famous last words...)
But before I get onto that, I noticed in my notes that on the advice of squid.conf I uncommented the following two lines:
acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY
any help?
First off, I was having problems with people downloading MS Messenger and getting into chat rooms, etc. So, I found out that to get it you download a file called mmssetup.exe or, in one case only, msnsetup.exe. I then opened /usr/local/squid/logs/access.log and used a find utilty to check out these lines and, sure enough, they were pointing to download sites for messenger.
So I added the following to squid.conf
# blocking MS messenger acl messenger1 url_regex mmssetup.exe acl messenger2 url_regex msnsetup.exe http_access deny messenger1 http_access deny messenger2
I then did
/usr/local/squid/bin/squid -k reconfigure to tell squid to re-read its now altered config file.
I then had to purge the offending setup.exe files from my cache. To do that I had to add the following line to my squid.conf (I bunged it in under #Defaults along with a bunch of other acls.)
acl PURGE method purge
Then I used the client program that comes with squid to do the dirty work. You have to give the full url of the file you want purged - just using the regex mmssetup.exe as you can in the acl produces a "sorry, squire" error message.
/usr/local/squid/bin/client -m PURGE http://full/url/mmssetup.exe
did the business, though. [And I don't know about your mail reader but mine insists on adding blue and underlining to that argument above.]
Next problem. We now have network stations in the library and one classroom that I can't keep an eye on at breaktimes. The following lines from squid.conf deal with it.
acl public_rooms "/usr/local/squid/public_rooms"
# defining break times and games times acl am_break time MTWHF 10:50-11:15 acl lunch time MTH 12:25-13:25 acl pm_break time MTWHF 14:30-14:50 acl games time WF 12:25-15:50 acl afterschool time MTWHF 15:50-16:10
# blocking freetime access in public rooms http_access deny public_rooms am_break http_access deny public_rooms lunch http_access deny public_rooms pm_break http_access deny public_rooms games http_access deny public_rooms afterschool # http_access allow public_rooms
/usr/local/squid/public_rooms is simply a text file containing the ip addresses of the network stations that I wanted to go 'off air' as far as squid and the internet were concerned at the times defined in those acl lines. Each ip address in the text file should be on its own line. Originally I included their netmasks as well e.g. 123.14.56.48/255.255.255.192 but I later removed them.
Okay, so I did this on a Sunday afternoon (don't forget to use linuxconf to ensure that your squid box and the school bells agree on the time) and Monday morning I waited to see what would happen at 10:50. Sure enough, at that moment *every* station in the school was denied access. So I commented out the lines I'd added, did /usr/local/squid/bin/squid -k reconfigure to give it back to everyone, reconsulted the FAQ and guide and decided 1. to remove the netmasks from those ip addresses, and 2. to leave everything commented out except
acl public_rooms "/usr/local/squid/public_rooms" acl lunch time MTH 12:25-13:25 http_access deny public_rooms lunch
Much better! At lunch only the correct stations went out. Since then I've added back in the corresponding acl and http_access deny lines as each break comes around with no further problems.
As my users are gratifyingly disrespectful towards authority, I can have the pleasurable experience of popping into my office towards the end of a break and doing grep -e 123.14.56.48 /usr/local/squid/logs/access.log and gazing fondly at those lines that read TCP_DENIED/403
I hope someone will find this write-up handy. I'm partly doing it to teach myself to take sufficient notes as I do new things to the network and make changes.
Nigel.
Nigel Pauli - St. John's School, Northwood
_________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.