Re: [squid-users] blocking certain filetypes more intelligent? from fra.nospam.nk@dont-contact.us on 2004-03-25 (squid-users)

From: <fra.nospam.nk@dont-contact.us>
Date: Thu, 25 Mar 2004 17:11:01 +0100

Hello,

Henrik Nordstrom <hno@squid-cache.org> schrieb am 23.03.04 00:27:32:
> > Hi all,
> >
> > i'm looking for a way to block certain file downloads within squid. I
> > currently apply a list of filename extensions with url_pathregex to an
> > acl.
>
> Ok.
>
> You may also want to look into the rep_mime_type acl (in
> http_reply_access) for a more firm filetype access control.

hm, i guess that leaves me somewhat in the hand of the origin
server admin. Has anyone experiences with the consistency of
mime-types across popular webservers (eg: Apache, IIS, etc.)?
I had a quick look at squids mime.types and apaches mime.types
and essentially i have to block some files that would fall under
the text/plain category, which i can't block as a whole. (This
does not need to make any sense, since its a requirement from
upper management!) Is there a way to attach something like a
filename_regex acl to http_reply_access? I assume that the
filename is somehow transmitted, because it shows up in the
"Save as..." browser dialog.

> > As for the filename-extension-does-not-match- the-real-file-type-problem
> > i thought about a external-helper performing checks based upon the UNIX
> > "file" command resp. magic bytes. This could be problematic, since the
> > file has to be retrieved first in order to check its filetype.
>
> Not easily done with Squid unfortunately.
>
> ICAP would be the way to go for a thing like this.

ICAP i don't know, but how exactly does squid handle downloads?
Is it like "get object in cache, when finished pass on" or more like
"get object in cache and simultaneously pass on"? Would there be
a chance to incooperate another acl before an object is passed to
the client, or are acls only effective in the moment the request/reply
hits squid? Of course there would also be the matter of the max
cache object size, since i guess noone really wants the cache to
get filled up with big objects ;-) I wonder how virus gateways deal
with this. Please excuse my fuzzyness, but i lack the understanding
of the inner workings of squid ;-)

Regards,

Frank

_____________________________________________________________________
Der WEB.DE Virenschutz schuetzt Ihr Postfach vor dem Wurm Netsky.A-P!
Kostenfrei fuer alle FreeMail Nutzer. http://f.web.de/?mc=021157
Received on Thu Mar 25 2004 - 13:10:38 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:03 MST