Re: [squid-users] Site spesific --File Blocking by extention from Henrik Nordstrom on 2004-02-03 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 3 Feb 2004 13:47:29 +0100 (CET)

On Tue, 3 Feb 2004, Leon Dippenaar wrote:

> Thank a million its much appreciated, that makes sense.. Now i think im
> not getting my acl list the correct order quite correct because the MS
> downloads are still being nailed , have a quick look below let me know
> how bad the blunder is....
>
>
> acl trust src 172.16.1.145
> acl semi_trust src 172.16.2.245
> acl lan src 172.16.0.0/255.255.0.0
> acl ras src 172.17.1.0/255.255.255.0
> acl ftp proto FTP
> acl download url_regex -i "/usr/local/squid/denydownload.txt"
> acl download-allowed dstdomain .microsoft.com
> acl porn url_regex "/usr/local/squid/etc/porn.txt"
> acl noporn url_regex "/usr/local/squid/etc/noporn.txt"

ok.

> #####Trusted Users #######
> http_access allow porn trust
> http_access allow ftp trust
> http_access allow download trust

These are more efficient if you list the ACLs in the opposite order.
Simplest ACL first. Same functionality.

http_access allow trust porn
http_access allow trust ftp
http_access allow trust download

or maybe you want to simly allow everything for the trusted user:

http_access allow trust

> ##### Allowed Download sites #########
> http_access deny !download-allowed download lan
> http_access deny !download-allowed download ras

Ok from what I can tell.

> ######Semi-Trusted#######
> http_access allow porn semi_trust
> ##### Semi-Trust DENY ####
> http_access deny ftp semi_trust
> http_access deny download semi_trust

Are you sure it is not the above rules which blocks your downloads?

> ######RAS Deny #########
> http_access deny porn ras
> http_access deny ftp ras
> http_access deny download ras

Or these?

> ##### LAN DENY #######
> http_access deny porn lan
> http_access deny ftp lan
> http_access deny download lan

Or these?

> ####### RAS Allow ########
> http_access allow ras
> ######LAN Allow###########
> http_access allow lan

Ok.

I would suggest you simplify your rules a bit. The above ruleset is
inconsistent and have the download rules duplicated in several places.

Regards
Henrik
Received on Tue Feb 03 2004 - 05:48:41 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:01 MST