Allow a certain URL path with Squid

web proxy domain blocking squid

I'm using Squid 3.4 on Debian, and I want to know how to allow certain sub-URLs while banning the rest of them.

Particularly, I want to ban access to reddit.com/* but allow access to reddit.com/r/foo/* and reddit.com/r/foo/

acl bad url_regex reddit\.com.*
acl good url_regex reddit\.com.*foo*

http_access deny bad
http_access allow good

...
http_access allow localnet
http_access allow localhost
http_access deny all

This code doesn't seem to work, and everything at reddit.com ends up getting blocked. How can I get the configuration I want?

Edit: Updated configuration that still doesn't work:

acl good url_regex http(s)?://(www\.)?reddit\.com/r/foo.*
acl bad url_regex http(s)?://(www\.)?reddit\.com.*

http_access allow good
http_access deny bad

...
http_access allow localnet
http_access allow localhost
http_access deny all

This has the opposite effect of the previous code; it allows access to all of reddit.com (which I don't want).


Solution 1:

For anyone else like me that stumbles across this post looking for an answer. The reason is that squid can't see the full URL for HTTPS requests, only the domain.

You can do a url_regex only for HTTP connections. You have to do a dstdomain for HTTPS connections.

It's down to the way proxy CONNECT works and not a Squid issue..

Solution 2:

Order is important. Put the allow line before the deny.

Also url_regex matches one the whole URL including http:// so you need to change your regexes. Remember to restart or reload squid after changes.

Solution 3:

it's described here; http://wiki.squid-cache.org/SquidFaq/SquidAcl

My current setup is like this;

acl special_client src 10.1.255.93
acl special_url url_regex ^http://ppa.launchpad.net/adiscon/v8-devel/ubuntu/.*
http_access allow special_client special_url
http_access deny special_url

Solution 4:

I think you're looking for something like this:

http_access allow good
http_access deny bad !good

Because actually the good regexp matches the bad regexp as well so you need to use the AND connector in the second line.

Note that you can debug acl's with this line:

debug_options ALL,1 28,3 33,2

Related

Two-Node Server 2012 R2 Hyper-V Cluster: Is it possible use local physical disks in the cluster?
Why does Ubuntu 14.04.2 have the bind9-host packages upon installation? [closed]
ERROR Found no accessible config files for 'fail2ban' under /etc/fail2ban
yum updates - are .rpmnew files ever critical / important to act upon?
How to protect from dangerous bash commands? [closed]
top is only showing current user processes
Wisdom of switching from Windows to redundant linux boxes for DHCP servers? [closed]
What are Site Link Bridges
Nginx location match working only when matching root
Can't access https despite port 443 is opened
is it possible to convert dataset to sparse volume (thin provisioning)?
SMTP defer vs reject