Re: [squid-users] Block Certain Mime Types

From: Chris Robertson <crobertson_at_gci.net>
Date: Mon, 08 Jun 2009 16:30:08 -0800

Jeff Rigby wrote:
> Been at this for a few hours to no avail so I'd thought I turn to the
> collective genius of this list.
>
> I'm trying to block all connections to anything but images, text,
> javascript, and CSS. I would like to reply with a 404 error. My server is
> setup in Accel mode. Even blocking only text/html should be sufficient for
> what I need.
>
> I've tried many variations of the following but nothing seems to take. It
> serves text/html just fine. I've tried:
>
> acl allowext url_regex -i \.jpg$ \.png$ \.gif$ \.css$ \.js$
> http_access allow !allowext
> http_access deny !allowext
>

Is this an accurate copy of what you put in your config? This would (in
absence of any other ACLs), not block anything. First you allow
requests that DON'T match your regular expressions, and then you deny
any DON'T match your regular expressions that haven't already been
allowed. The "http_access deny !allowext" will never match. Remove
the ! from the http_access allow line, and this should do just what
you want.

> AND
>
> acl blockmimeq req_mime_type -i ^text/html$
> acl blockmimep rep_mime_type -i ^text/html$
> http_access deny blockmimeq
> http_reply_access deny blockmimep
>

Here you are blocking requests with a "text/html" Mime-Type, and replies
with the same type.

> with many variations/combos of those. Still no luck.
>
> Here's my latest ACL in my config (not working)
> # Basic ACLs
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl mydomain dstdomain .domain.com .static.com localhost
> acl localnet src 10.0.0.0/16
> acl Safe_ports port 80 # http
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access allow mydomain
>

Ah. Squid processes http_access rules on a first-match basis. Put your
http_access deny lines above this http_access allow.

> #mime-types
> acl blockmimeq req_mime_type -i ^text/html$
> acl blockmimep rep_mime_type -i ^text/html$
> http_access deny blockmimeq
> http_reply_access deny blockmimep
>
> http_access deny all
> icp_access allow localnet
> icp_access deny all
>
> Any ideas?
>
> Jeff
>

Chris
Received on Tue Jun 09 2009 - 00:30:15 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 09 2009 - 12:00:02 MDT