[squid-users] Acl blocking .exe files + unblocking some sites that require .exe files to work

From: Andre Fernando Goldacker <squid@dont-contact.us>
Date: Tue, 7 Feb 2006 11:54:56 -0300

Hi,

I'm having some trouble with ACLs when I try to block .exe files.
Actually the acl works very well, but some sites use .exe files do
display html content. I have a few webmail sites and some bank sites
that do this. The problem is that I can't figure out how to unblock
them. From what I know, squid reads acl rules from top to botton so if I
have specified a site to be allowed first, even if there is a blocking
rule below it should ignore it. Below are the related acl rules. The
first 4 lines are ntlm group based rules. The goodextensions acl is the
one that should allow sites with webmail.exe. Instead of letting it go,
squid returns me, for ex. that access to the site
http://email.terra.com.br/cgi-bin/webmail.exe? is denied. Does anyone
know what I'm doing wrong? I'm using squid version 2.5.STABLE9.

Any help will be much appreciated.

Andre
 
 
external_acl_type grupo ttl=900 concurrency=150 %LOGIN
/usr/sbin/wbinfo_group.pl
acl acesso external grupo internet
acl CONNECT method CONNECT
acl rede proxy_auth REQUIRED src x.x.x.x/x

acl badsites dstdomain "/etc/squid/lists/badsites.conf"
acl badwords url_regex -i "/etc/squid/lists/badwords.conf"
acl badextensions urlpath_regex -i
\.(exe|bat|cmd|pif|scr|vbs|mov|mp3|avi|mwa|mwv|mpg)($|\?)
acl malware url_regex -i "/etc/squid/malware/lista.txt"
acl goodsites dstdomain "/etc/squid/lists/goodsites.conf"
acl goodwords url_regex -i "/etc/squid/lists/goodwords.conf"
acl goodextensions urlpath_regex -i webmail.exe($|\?)
acl java_jvm browser Java/1.4 Java/1.5

http_access allow manager localhost
http_access deny manager
http_access deny !portaspadrao
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow java_jvm
http_access allow rede acesso goodsites goodwords goodextensions
http_access allow rede acesso !badsites !badwords !badextensions
!malware
http_access deny all
http_reply_access allow all
icp_access allow all
Received on Tue Feb 07 2006 - 06:55:04 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST