Re: [squid-users] Block Certain Mime Types

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 09 Jun 2009 15:54:53 +1200

On Mon, 8 Jun 2009 14:16:03 -0400, "Jeff Rigby"
<jrigby_at_databasepublish.com>
wrote:
> Been at this for a few hours to no avail so I'd thought I turn to the
> collective genius of this list.
>
> I'm trying to block all connections to anything but images, text,
> javascript, and CSS. I would like to reply with a 404 error. My server is
> setup in Accel mode. Even blocking only text/html should be sufficient
for
> what I need.
>
> I've tried many variations of the following but nothing seems to take. It
> serves text/html just fine. I've tried:
>
> acl allowext url_regex -i \.jpg$ \.png$ \.gif$ \.css$ \.js$
> http_access allow !allowext
> http_access deny !allowext
>

! means 'NOT' in the boolean.

so these rules can also be written as:
  deny allowext
  deny !allowext

or as:
  deny all

> AND
>
> acl blockmimeq req_mime_type -i ^text/html$
> acl blockmimep rep_mime_type -i ^text/html$
> http_access deny blockmimeq
> http_reply_access deny blockmimep
>
> with many variations/combos of those. Still no luck.

Well, something is terribly wrong with the testing. Because the
rep_mime_type and http_reply_access you have above are the correct way to
do it.

Are you judging it by requests going back? or the result reaching client?

To block the reply, Squid MUST first ask for it and receive back at minimum
the reply headers. The client never sees what is given to Squid though.

>
> Here's my latest ACL in my config (not working)
> # Basic ACLs
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl mydomain dstdomain .domain.com .static.com localhost
> acl localnet src 10.0.0.0/16
> acl Safe_ports port 80 # http
> acl purge method PURGE
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access allow mydomain

first-listed first-match. 'allow mydomain'
Make sure that none of the URL you are testing with are part of the
mydomain set.

>
> #mime-types
> acl blockmimeq req_mime_type -i ^text/html$
> acl blockmimep rep_mime_type -i ^text/html$
> http_access deny blockmimeq
> http_reply_access deny blockmimep
>
> http_access deny all
> icp_access allow localnet
> icp_access deny all
>
> Any ideas?
>
> Jeff

Amos
Received on Wed Jun 10 2009 - 23:45:19 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 12:00:03 MDT