Re: [squid-users] YAALQ from richard lucassen on 2013-03-31 (squid-users)

From: richard lucassen <mailinglists_at_lucassen.org>
Date: Sun, 31 Mar 2013 14:53:37 +0200

On Sun, 31 Mar 2013 12:38:10 +0100
Alex Crow wrote:

Yep, that did the trick :)

Thnx!

> You have allowed the http request to the site, but you have denied
> the reply. http_access and http_reply access are different rule types.
>
> If you add an "http_reply_access allow no_filter_dest" above the last
> rule I think it will work.
>
> Thanks
>
> Alex
>
> On 31/03/13 12:21, richard lucassen wrote:
> > Hello list, Yet Another Access List Question.
> >
> > As the doc says:
> >
> > "Access list rules are checked in the order they are written. List
> > searching terminates as soon as one of the rules is a match."
> >
> > Well, that's quite clear I'd say. But why isn't this working
> > properly:
> >
> > ############################################################
> > acl richard2_src 92.68.12.178
> >
> > [..]
> > acl no_filter_dst dstdomain "/etc/squid/nofilter.domains.txt"
> >
> > acl allow_mime_types rep_mime_type -i ^text/.* ^image/.*
> > ^text/plain ^text/html ^application/.*ms.*word.*
> > ^application/.*ms.*excel.* ^application/.*pdf.* ^application/.*xml.*
> > ^application/.*java.*
> >
> > [..]
> >
> > http_access allow no_filter_dst
> > http_reply_access deny !allow_mime_types richard2_src
> > [..]
> > ############################################################
> >
> > $ cat /etc/squid/nofilter.domains.txt
> > .xaq.nl
> >
> > The MIME type filter is working properly. But if I visit
> > http://www.xaq.nl/ there is an swf file which should be blocked by
> > the "allow_mime_types". But as the domain is allowed in the rule
> > above "allow_mime_types", the "no_filter_dst", I'd expect that
> > squid accepts the swf on that particular page. But it is denied:
> >
> > 1364728671.633 7 92.68.12.178 TCP_DENIED/403 1532 GET
> > http://www.xaq.nl/clock.swf - DIRECT/192.87.112.211 text/html
> >
> > Why is that?
> >
> > R.
> >
>

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://contact.xaq.nl/                                           |
+------------------------------------------------------------------+

Received on Sun Mar 31 2013 - 12:53:57 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 01 2013 - 12:00:07 MDT