Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy blacklist does block domain with subdomain #824

Closed
gitdevmod opened this issue Mar 15, 2016 · 6 comments
Closed

Proxy blacklist does block domain with subdomain #824

gitdevmod opened this issue Mar 15, 2016 · 6 comments
Assignees
@AdSchellevis
Labels
bug Production bug
Milestone
16.7

Comments

@gitdevmod
Copy link
Contributor

If I select audio-video blacklist from UT1 blacklist, "youtube.com" is denied but "www.youtube.com" is allowed.
Maybe squid acl should use dstdom_regex ?
@AdSchellevis
Copy link
Member

no, it shouldn't, can you inspect your list first? if there is another subdomain of .youtube.com allowed, it won't deny all on youtube.com, because of overlap.
You can easily grep the list in /usr/local/etc/squid/acl/ to see if that's the case here.

@gitdevmod
Copy link
Contributor Author

I think it's because there is no "." before the domain
With the blacklist http://dsi.ut-capitole.fr/blacklists/download/audio-video.tar.gz

# grep youtube.com audio-video/domains
amazingyoutube.com
bannedfromyoutube.com
youtube.com

@AdSchellevis
Copy link
Member

it probably misses a "." before youtube.com, but not before the other two above this. it should match .youtube.com here. I will look into this.

@AdSchellevis AdSchellevis self-assigned this Mar 16, 2016
@AdSchellevis AdSchellevis added the bug Production bug label Mar 16, 2016
@AdSchellevis AdSchellevis added this to the 16.7 milestone Mar 16, 2016
@fichtner
Copy link
Member

See also: https://forum.opnsense.org/index.php?topic=2419.0

AdSchellevis added a commit that referenced this issue Mar 16, 2016
@AdSchellevis
(proxy) better match url overlaps in acl, #824
b1034aa
@AdSchellevis
Copy link
Member

This commit b1034aa solves the missing dot in the processed list.

In case you want to try before any release, you can easily download the script from github using:

curl -o /usr/local/opnsense/scripts/proxy/fetchACLs.py https://raw.githubusercontent.com/opnsense/core/master/src/opnsense/scripts/proxy/fetchACLs.py

The processed output looks like this on my machine:

# grep youtube /usr/local/etc/squid/acl/audiovideo
.mp3indir.youtube89.net
.youtube.youtube89.net
.youtube.fr
.topyoutubevideos.com
.youtubegoo.com
.bannedfromyoutube.com
.amazingyoutube.com
.youtube.com
.youtubevideos.biz

@gitdevmod
Copy link
Contributor Author

After "Download ACLs & Apply" it works as expected 👍 Thanks

fichtner pushed a commit that referenced this issue Mar 17, 2016
@AdSchellevis @fichtner
(proxy) better match url overlaps in acl, #824
7ca8ce6 
(cherry picked from commit b1034aa)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
bug Production bug
Milestone
16.7
Development

No branches or pull requests
3 participants
@fichtner @gitdevmod @AdSchellevis