Re: [squid-users] Bypassing ACLs

From: Alexis Bosson <abosson@dont-contact.us>
Date: Tue, 11 Sep 2001 14:50:07 +0200

Why don't you use DENY instead of ALLOW by default. The configuration lines
are longer but you can control what you want.
Here's an example, which you can modify

# Accepted URLs : '/' and no extension, example : 'README'
acl fichiers_ok url_regex /$ /[^\.]*$
# CGI
acl fichiers_ok url_regex \.cgi$ /cgi-bin/
# HTML
acl fichiers_ok url_regex \.htm$ \.html$ \.asp$ \.php$ \.php3$ \.phtml$
# Style sheets, JavaScript and Java
acl fichiers_ok url_regex \.css$ \.js$ \.jar$ \.class$
# Images
acl fichiers_ok url_regex \.gif$ \.jp[eg]$ \.jpeg$ \.png$ \.tif{1,2}$ \.eps$
\.bmp$
# Documents
acl fichiers_ok url_regex \.pdf$ \.ps$ \.rt[fx]$ \.dvi$
# Plain text
acl fichiers_ok url_regex \.txt$ \.[ct]sv$
# LaTeX Sources
acl fichiers_ok url_regex \.tex$ \.latex$ \.sty$ \.ltx$ \.cls$
# Archives
acl fichiers_ok url_regex \.zip$ \.gz$ \.tar$ \.bz2$ \.rpm$ \.deb$
# M$ Office
acl fichiers_ok url_regex \.do[ct]$ \.xls$ \.ppt$
# Shell scripts
acl fichiers_ok url_regex \.[zkc]sh$ \.b?a?sh$
# Perl, Python, Tcl/Tk
acl fichiers_ok url_regex \.pl$ \.py$ \.tcl$ \.tk$
# PGP Signature
acl fichiers_ok url_regex \.pgp$
# C
acl fichiers_ok url_regex \.c$ \.h$
# C++
acl fichiers_ok url_regex \.c++$ \.cpp$ \.cxx$ \.cc$ \.h++$ \.hpp$ \.hxx$
\.hh$
# Pascal
acl fichiers_ok url_regex \.p$ \.pas$
# Web-pages integrated sounds
acl fichiers_ok url_regex \.midi?$ \.wav$
# Other sounds
acl fichiers_ok url_regex \.mpe?ga$ \.mp[23]$ \.m3u$ \.r[am]$ \.r[ap]m$
# Videos
#acl fichiers_ok url_regex \.mp[eg]$ \.mpeg$ \.qt$ \.mov$ \.avi$
# MS-DOS Scripts
acl fichiers_ok url_regex \.bat$
# Binaries
#acl fichiers_ok url_regex \.exe$ \.com$ \.bin$ \.scr$ \.dll$

-----Original Message-----
From: Robert Collins <robert.collins@itdomain.com.au>
To: Leonardo Rodrigues Magalhães <coelho@persogo.com.br>
Cc: Squid Users <squid-users@squid-cache.org>
Date: Tuesday, September 11, 2001 2:13 PM
Subject: Re: [squid-users] Bypassing ACLs

On Tue, 2001-09-11 at 22:13, Leonardo Rodrigues Magalhães wrote:
>
> Hello Guys,
>
> I'm running squid 2.4S2 with some ACLs denying some extensions ( like
> .mp3, .zip and others ). These rules are done with a text file with one
> extension per line, like ".mp3$", ".zip$". The $ means 'at the end of
URL'.
>
> There are some extensions that I cannot block at all, I mean, I want
my
> users browsing www.mp3.com ( so I cannot block just .mp3 ). Altough, I do
> not want them downloading mp3 files. .mp3$ is working fine for this.
>
> But I have discovered ( hope my users dont ) that using
> http://someplace/somefile.mp3?type=i bypass the ACL and MP3 is downloaded.
>
> Question ...... is there a way of telling squid to bypass arguments
when
> applying url_regex rules ?????
>

One way is
(mp3$|mp3\?.*)

Rob
Received on Tue Sep 11 2001 - 06:53:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:08 MST