Project

General

Profile

Actions
Copy link

Bug #13879

closed

Squid blacklist definition causing issues.

Added by Peter Moreno over 2 years ago. Updated over 2 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.7.x
Affected Plus Version:
Affected Architecture:
amd64

Description

Hello.

Working with pfsense 2.7-dev for some months and is going solid, excellent work team.
Now I face a issue that was causing me some headache, checking more depth the config from squid and looks like I found the issue.
I'm trying to block some domains related to adults sites like:

.party
.porn
.xxx
.vip
.me

I put this domains in my blacklist field in the squid GUI section ACL.

But my surprise is that one domain from a government dependency stop working, I check the logs and see that squid start blocking the site with a DENIED:

192.168.9.100 TCP_DENIED/000 0 CONNECT 187.218.29.164:443 - HIER_NONE/- -

The site is: dof.gob.mx, see attachment please.

Why?

I went to my squid.conf and found the line:

acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl"

I have been working with squid for some years and normally I don't use the parameter "dstdom_regex -i" I use for the blacklist just "dst_domain".

I change my line to this one:

acl blacklist dstdomain "/var/squid/acl/blacklist.acl"

Run squid -k reconfigure

With this change I don't have issues.

Please, if u need further details let me know, thanks.

Files

bug1.png (14.9 KB) bug1.png Peter Moreno, 01/16/2023 07:01 PM
Actions
Copy link
 #1

Updated by Peter Moreno over 2 years ago

I have change squid.inc

$options = array(
'unrestricted_hosts' => 'src',
'banned_hosts' => 'src',
'whitelist' => 'dstdom_regex -i',
'blacklist' => 'dstdom_regex -i',
'block_user_agent' => 'browser -i',
'block_reply_mime_type' => 'rep_mime_type -i',
);

to

$options = array(
'unrestricted_hosts' => 'src',
'banned_hosts' => 'src',
'whitelist' => 'dstdom_regex -i',
'blacklist' => 'dstdomain',
'block_user_agent' => 'browser -i',
'block_reply_mime_type' => 'rep_mime_type -i',
);

Is working, just need your confirmation, regards!!!

Actions
Copy link
 #2

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Not a Bug

This is not a bug. It expects regular expressions, not plain strings.

If that works better for you, you can make that change on your own system, but it makes the field less useful for people who want to use proper regex syntax.

Actions
Copy link
 #3

Updated by Peter Moreno over 2 years ago

Will be a good option to have those on the GUI and the user decide if they want to use regular expression or plain text.

Thanks Jim.

Actions
Copy link

Also available in: Atom PDF