RE: [squid-users] Acl blocking .exe files + unblocking some sites that require .exe files to work

> -----Original Message-----
> From: Andre Fernando Goldacker [mailto:squid@teka.com.br]
> Sent: Tuesday, February 07, 2006 5:55 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Acl blocking .exe files + unblocking some sites
> that require .exe files to work
>
>
> Hi,

Hello,

>
> I'm having some trouble with ACLs when I try to block .exe files.
> Actually the acl works very well, but some sites use .exe files do
> display html content. I have a few webmail sites and some bank sites
> that do this. The problem is that I can't figure out how to unblock
> them. From what I know, squid reads acl rules from top to
> botton so if I
> have specified a site to be allowed first, even if there is a blocking
> rule below it should ignore it. Below are the related acl rules. The
> first 4 lines are ntlm group based rules. The goodextensions
> acl is the
> one that should allow sites with webmail.exe. Instead of
> letting it go,
> squid returns me, for ex. that access to the site
> http://email.terra.com.br/cgi-bin/webmail.exe? is denied. Does anyone
> know what I'm doing wrong? I'm using squid version 2.5.STABLE9.
>
> Any help will be much appreciated.
>
> Andre
>
>
> external_acl_type grupo ttl=900 concurrency=150 %LOGIN
> /usr/sbin/wbinfo_group.pl
> acl acesso external grupo internet
> acl CONNECT method CONNECT
> acl rede proxy_auth REQUIRED src x.x.x.x/x
>
> acl badsites dstdomain "/etc/squid/lists/badsites.conf"
> acl badwords url_regex -i "/etc/squid/lists/badwords.conf"
> acl badextensions urlpath_regex -i
> \.(exe|bat|cmd|pif|scr|vbs|mov|mp3|avi|mwa|mwv|mpg)($|\?)
> acl malware url_regex -i "/etc/squid/malware/lista.txt"
> acl goodsites dstdomain "/etc/squid/lists/goodsites.conf"
> acl goodwords url_regex -i "/etc/squid/lists/goodwords.conf"
> acl goodextensions urlpath_regex -i webmail.exe($|\?)
> acl java_jvm browser Java/1.4 Java/1.5
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !portaspadrao
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow java_jvm
> http_access allow rede acesso goodsites goodwords goodextensions

Have a look at the FAQ section on ACLs (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html). Especially the part at http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.8 I'll quote the relevant bit for posterity:

You've probably noticed (and been frustrated by) the fact that you cannot combine access controls with terms like ``and'' or ``or.'' These operations are already built in to the access control scheme in a fundamental way which you must understand.

    * All elements of an acl entry are OR'ed together.
    * All elements of an access entry are AND'ed together. e.g. http_access and icp_access.

For example, the following access control configuration will never work:

        acl ME src 10.0.0.1
        acl YOU src 10.0.0.2
        http_access allow ME YOU

In order for the request to be allowed, it must match the ``ME'' acl AND the ``YOU'' acl. This is impossible because any IP address could only match one or the other. This should instead be rewritten as:

        acl ME src 10.0.0.1
        acl YOU src 10.0.0.2
        http_access allow ME
        http_access allow YOU

> http_access allow rede acesso !badsites !badwords !badextensions
> !malware
> http_access deny all
> http_reply_access allow all
> icp_access allow all
>

Chris
Received on Tue Feb 07 2006 - 13:27:01 MST