Allow a certain URL path with Squid

I'm using Squid 3.4 on Debian, and I want to know how to allow certain sub-URLs while banning the rest of them.

Particularly, I want to ban access to reddit.com/* but allow access to reddit.com/r/foo/* and reddit.com/r/foo/

acl bad url_regex reddit\.com.*
acl good url_regex reddit\.com.*foo*

http_access deny bad
http_access allow good

...
http_access allow localnet
http_access allow localhost
http_access deny all

This code doesn't seem to work, and everything at reddit.com ends up getting blocked. How can I get the configuration I want?

Edit: Updated configuration that still doesn't work:

acl good url_regex http(s)?://(www\.)?reddit\.com/r/foo.*
acl bad url_regex http(s)?://(www\.)?reddit\.com.*

http_access allow good
http_access deny bad

...
http_access allow localnet
http_access allow localhost
http_access deny all

This has the opposite effect of the previous code; it allows access to all of reddit.com (which I don't want).


Solution 1:

For anyone else like me that stumbles across this post looking for an answer. The reason is that squid can't see the full URL for HTTPS requests, only the domain.

You can do a url_regex only for HTTP connections. You have to do a dstdomain for HTTPS connections.

It's down to the way proxy CONNECT works and not a Squid issue..

Solution 2:

Order is important. Put the allow line before the deny.

Also url_regex matches one the whole URL including http:// so you need to change your regexes. Remember to restart or reload squid after changes.

Solution 3:

it's described here; http://wiki.squid-cache.org/SquidFaq/SquidAcl

My current setup is like this;

acl special_client src 10.1.255.93
acl special_url url_regex ^http://ppa.launchpad.net/adiscon/v8-devel/ubuntu/.*
http_access allow special_client special_url
http_access deny special_url

Solution 4:

I think you're looking for something like this:

http_access allow good
http_access deny bad !good

Because actually the good regexp matches the bad regexp as well so you need to use the AND connector in the second line.

Note that you can debug acl's with this line:

debug_options ALL,1 28,3 33,2