Allow a certain URL path with Squid

Question

I'm using Squid 3.4 on Debian, and I want to know how to allow certain sub-URLs while banning the rest of them.

Particularly, I want to ban access to reddit.com/* but allow access to reddit.com/r/foo/* and reddit.com/r/foo/

acl bad url_regex reddit\.com.*
acl good url_regex reddit\.com.*foo*

http_access deny bad
http_access allow good

...
http_access allow localnet
http_access allow localhost
http_access deny all

This code doesn't seem to work, and everything at reddit.com ends up getting blocked. How can I get the configuration I want?

Edit: Updated configuration that still doesn't work:

acl good url_regex http(s)?://(www\.)?reddit\.com/r/foo.*
acl bad url_regex http(s)?://(www\.)?reddit\.com.*

http_access allow good
http_access deny bad

...
http_access allow localnet
http_access allow localhost
http_access deny all

This has the opposite effect of the previous code; it allows access to all of reddit.com (which I don't want).

score 7 · Answer 1 · answered Mar 24 '17 at 08:14

For anyone else like me that stumbles across this post looking for an answer. The reason is that squid can't see the full URL for HTTPS requests, only the domain.

You can do a url_regex only for HTTP connections. You have to do a dstdomain for HTTPS connections.

It's down to the way proxy CONNECT works and not a Squid issue..

score 3 · Answer 2 · answered Mar 15 '16 at 12:34

it's described here; http://wiki.squid-cache.org/SquidFaq/SquidAcl

My current setup is like this;

acl special_client src 10.1.255.93
acl special_url url_regex ^http://ppa.launchpad.net/adiscon/v8-devel/ubuntu/.*
http_access allow special_client special_url
http_access deny special_url

Paul Haldane · Answer 3 · 2015-03-15T10:36:15.890

2

Order is important. Put the allow line before the deny.

Also url_regex matches one the whole URL including http:// so you need to change your regexes. Remember to restart or reload squid after changes.

edited Mar 15 '15 at 10:36

answered Mar 15 '15 at 08:55

Paul Haldane

4,457
1
20
31

I swapped the "deny bad" and "allow good" lines but I can't see any change. – unsi Mar 15 '15 at 10:25
can you post your config file now you have updated it? Also be aware that if people use https, these regexes won't apply to url portions – Tom Newton Mar 15 '15 at 11:02
@TomNewton Done, check my edited post; this time I tried to start from the http; I have ssl-bump configured, so it should work as expected. I tried from both http and https but it doesn't work on either protocol. I shut down the Squid server and restart it whenever I make changes. – unsi Mar 15 '15 at 11:43
This fixed the problem for me - this thread is related http://squid-web-proxy-cache.1019090.n4.nabble.com/acl-dstdomains-does-not-block-td1037712.html – Laurie Aug 11 '20 at 18:26

score 1 · Answer 4 · answered Mar 15 '16 at 15:06

I think you're looking for something like this:

http_access allow good
http_access deny bad !good

Because actually the good regexp matches the bad regexp as well so you need to use the AND connector in the second line.

Note that you can debug acl's with this line:

debug_options ALL,1 28,3 33,2

Allow a certain URL path with Squid

4 Answers4

Linked