Re: [squid-users] Problem with ACL (disabling download)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 01 Nov 2010 23:01:41 +0000

On Mon, 1 Nov 2010 23:01:42 +0100, Konrado Z <konradoz_at_partyinfo.com.pl>
wrote:
> Thanks for your response.
>
>>> acl officeFiles urlpath_regex "/etc/squid/officeFiles"
>>>
>>> http_access deny clients workingHours funWebsites
>>> http_access deny clients !officeFiles
>>> http_access allow all
>>
>> NP: "allow all" means traffic from the entire Internet. That should be
>> "allow clients".
>>
>
> Thanks that is a useful tip
>
>>
>> As requested earlier:
>> "Please list the exact fill set of patterns you are using. One of them
>> is probably wrong."
>>
>> That means the exact and full content of /etc/squid/officeFiles. Sorry
if
>> I was unclear.
>
> \.[Dd][Oo][Cc]$
> \.[Pp][Dd][Ff]$
> \.[Xx][Ll][Ss]$
> \.[Zz][Ii][Pp]$
> \.[Gg][Ii][Ff]$
> \.[Pp][Pp][Tt]$
>
> And jpg, rar, tiff, bmp, txt in the same style.
>
> I know that using this into http_access deny clients !officeFiles
> causes blocking the whole WWW service (clients are allowed to download
> only these types of files) but I'm not able to list every extension
> such html, htm, php, asp etc. I want to make Internet service

The pattern to match for the common web files is quite short:

 # defined white-list of acceptable web file extensions
 acl webFiles urlpath_regex -i
[^?]*(\.([xd]?html?|aspx?|php[345]?|cgi|css|js|jpe?g|gif|png|x[ms]l||xst|swf)|/)(\?.*)?$

> available for clients but I want to deny DOWNLOADING files which are
> not typical office files. And how to do it? I have no idea :)

You face a concept problem:
  In HTTP *everything* including the HTML structure of the page is a
DOWNLOAD. There is zero difference in file type between a "Download"
button, a menu bar and some porn. Only the browser controls whether it asks
to save the object or displays it (eg. opening an XHTML web page in IE4
will ask you where to save it).

  Consider as well how does one find these office files in order to
download? when the HTML page (or HTML email), download button graphics,
captcha security, search scripts and layout CSS are all blocked?

I really think you need to clarify which types and sizes of object things
are limited to. Then use http_reply_access on the file rep_mime_type.
Probably source websites in http_access.

>
> P.S I was probably unclear earlier. Unfortunately my English is not so
> well, so sorry :)
> Konradoz
>
>> Amos
>>
>>>
>>> 2010/11/1 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>> On 01/11/10 12:46, Konrado Z wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I have encountered a problem with ACL. I want to disable download
all
>>>>> kinds of files for subnet specified except pdf, doc, xls, txt, zip.
I
>>>>> have created officeFile file wich is shown below:
>>>>>
>>>>> \.[Dd][Oo][Cc]$
>>>>> \.[Tt][Xx][Tt]$
>>>>> etc.
>>>>>
>>>>> but,
>>>>>
>>>>> acl clients 192.168.56.0/24
>>>>> acl officeFiles urlpath_regex "/etc/squid/officeFiles"
>>>>
>>>> Using -i makes the pattern non-case-sensitive.
>>>> acl officeFiles urlpath_regex -i \.(doc|txt)$
>>>>
>>>>
>>>>>
>>>>> and
>>>>>
>>>>> http_access deny clients !officeFiles
>>>>> http_access allow all #It has to be here because it is the last line
>>>>> in my config which is associated with other ACLS
>>>>>
>>>>>
>>>>> doesn't work because clients cannot open even google.com. I have no
>>>>> idea, how to overcome that problem. How to write this ACL and
>>>>> http_access to work properly.
>>>>> Please help.
>>>>
>>>> Please list the exact fill set of patterns you are using. One of them
>> is
>>>> probably wrong.
>>>>
>>>>
>>>> You could also match the actual reply mime types. This reply ACL
allows
>>>> some
>>>> types and denies the rest:
>>>>
>>>> acl webMime rep_mime_type -i text/html image/jpeg image/png
image/gif
>>>> text/css
>>>> http_reply_access deny !webMime
>>>>
>>>>
>>>> Amos
>>>> --
>>>> Please be using
>>>> Current Stable Squid 2.7.STABLE9 or 3.1.8
>>>> Beta testers wanted for 3.2.0.2
>>>>
>>
Received on Mon Nov 01 2010 - 23:01:45 MDT

This archive was generated by hypermail 2.2.0 : Tue Nov 02 2010 - 12:00:02 MDT