Re: [squid-users] Allowing downloads from certain sites

From: Edmonds Namasenda <namasenda_at_gmail.com>
Date: Fri, 29 Jun 2012 16:00:43 +0300

Shastri,
That is what we are trying to help you solve. Are we writing gibberish?!

At the http_access restricting downloads, add something like
"!\.example\.com" (without the quotation marks)

Else, provide more accurate information for faster troubleshooting if
that fails. Many people dump their whole configuration files for
analysis!

# Edmonds.

On Fri, Jun 29, 2012 at 3:36 PM, Chaitanya Shastri
<chait.shastri_at_gmail.com> wrote:
> Hi,
>  My question is simple. I have blocked all the downloads on my LAN
> systems using acl rules. But there is a trusted domain, say
> "example.com" from which users on my LAN should be able to download
> any file. For example: zip or exe file. I do not have site restriction
> on that site. So all users can access the site, but they are not able
> to download through that site.
> I tried using \.microsoft\.com using dstdomain acl type. But its not
> working. The http_reply_access rule is denying the download.
> I have following configuration:
>
> acl allow_downloads dstdomain -i \.microsoft\.com
> http_reply_access allow  allow_downloads
> http_reply_access deny all
>
> I want to allow downloading from "example.com" domain while still
> restricting downloads from other domains.
> Any ideas?
>
> Thanks.
>
> On Fri, Jun 29, 2012 at 5:32 PM, Edmonds Namasenda <namasenda_at_gmail.com> wrote:
>>>> Shastri, try the below
>>>>
>>>> Assume...
>>>> 1. Preventing Downloads File (nodowns.txt) has the following
>>>> \.msi$
>>>> \.exe$
>>>> \.zip$
>>>> \.etc$
>>
>> The above is regex
>>
>>>>
>>>> 2. Trusted Sites File (goodsites.txt) has the following
>>>> *.*microsoft*.com*
>>>> *.*windows*.com*
>>>> *.*etc*.com*.com*
>>>
>>>
>>> WTF? Does regex even accept that?
>>>
>>> *.*microsoft*.com*
>>
>> Amos, the above is dstdomain. You must have missed the regex entries
>> before this.
>>
>>>
>>>  ==>   (zero or more 'nothings')(zero or more characters)(the text
>>> "microsof")(zero or more 't' characters)(any single character)(thetext
>>> "co")(zero or more 'm' characters)
>>>
>>> Don't you mean this?
>>>  \.microsoft\.com
>>>  \.windows\.com
>>>  \.etc\.com\.com
>>>
>>
>> Thanks for that insight.
>>
>>>
>>> Or perhapse the better version:
>>>
>>>  acl goodsites dstdomain .microsoft.com .windows.com .etc.com.com
>>>
>>>
>>
>> Will that not be too much is you have a long list of sites?
>>
>>>>
>>>> 3. Accompanying ACLs for files above
>>>> acl nodowns urlpath_regex -i "/path_to/nodowns.txt" # With quotation marks
>>>> acl goodsites dstdomains -i "/path_to/goodsites.txt" # With quotation
>>>> marks
>>>>
>>>> 4. Controlling Rule
>>>> http_access deny nodowns !goodsites # Put it above any "allow" rule
>>>>
>>>> The above is my thinking, and I could do with correction.
>>>>
>>>> # Edmonds
>>>
>>>
>>> Pretty much. The problem is that Chaitanya supplied no details about their
>>> config. Could be much simpler or much more complicated.
>>>
>>> Amos
>>>
>>>>
>>>> On Fri, Jun 29, 2012 at 12:30 PM, Chaitanya Shastri wrote:
>>>>>
>>>>> Hi Amos,
>>>>>
>>>>>    I have acl rules for preventing downloads on client machines. So a
>>>>> client cannot download any file (for example, .exe, .zip .. etc ) on
>>>>> his/her machine.
>>>>> What I want is that all clients should be able to download any type of
>>>>> file from certain trusted domain.
>>>>> In short I want to allow a domain in my squid configuration from which
>>>>> any client can download any type of file.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> On Fri, Jun 29, 2012 at 1:15 PM, Amos Jeffries wrote:
>>>>>>
>>>>>> On 29/06/2012 6:10 p.m., Chaitanya Shastri wrote:
>>>>>>>
>>>>>>> Hi list,
>>>>>>>
>>>>>>>    Is it possible to allow downloads from certain trusted sites?  I
>>>>>>> tried using the url_regex acl to list certain trusted sites from which
>>>>>>> our users can download any file.
>>>>>>>
>>>>>>>    Ex. acl allow_downloads url_regex -i ^http:\/\/example\.com
>>>>>>>          http_reply_access allow allow_downloads localnet  # where
>>>>>>> localnet is my LAN range
>>>>>>>
>>>>>>>    But its not working. Any ideas on how to get it work?
>>>>>>>
>>>>>>> Thanks.
>>>>>>
>>>>>>
>>>>>> Any idea what is blocking them from working in the first place?
>>>>>>
>>>>>> Amos
>>>>>>
Received on Fri Jun 29 2012 - 13:00:51 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 30 2012 - 12:00:04 MDT