OK so I have definied
acl webMimes rep_mime_type -i "etc/squid/mimes"
Mimes file:
text/(html|css|plain|richtext)
application/(msword|pdf|vnd.ms-powerpoint|vnd.ms-excel|zip|x-compress)
image/(bmp|gif|jpeg|png|tiff|gif)
and http_access section:
#http_access deny clients workingHours funWebsites
http_access deny clients !webMimes
http_access allow all
Unfortunately 'clients' cannot browse any website even sth like
exampleDomain/exampleFile.txt
Any suggestions?
2010/11/2 Amos Jeffries <squid3_at_treenet.co.nz>:
> On Mon, 1 Nov 2010 23:01:42 +0100, Konrado Z <konradoz_at_partyinfo.com.pl>
> wrote:
>> Thanks for your response.
>>
>>>> acl officeFiles urlpath_regex "/etc/squid/officeFiles"
>>>>
>>>> http_access deny clients workingHours funWebsites
>>>> http_access deny clients !officeFiles
>>>> http_access allow all
>>>
>>> NP: "allow all" means traffic from the entire Internet. That should be
>>> "allow clients".
>>>
>>
>> Thanks that is a useful tip
>>
>>>
>>> As requested earlier:
>>> "Please list the exact fill set of patterns you are using. One of them
>>> is probably wrong."
>>>
>>> That means the exact and full content of /etc/squid/officeFiles. Sorry
> if
>>> I was unclear.
>>
>> \.[Dd][Oo][Cc]$
>> \.[Pp][Dd][Ff]$
>> \.[Xx][Ll][Ss]$
>> \.[Zz][Ii][Pp]$
>> \.[Gg][Ii][Ff]$
>> \.[Pp][Pp][Tt]$
>>
>> And jpg, rar, tiff, bmp, txt in the same style.
>>
>> I know that using this into http_access deny clients !officeFiles
>> causes blocking the whole WWW service (clients are allowed to download
>> only these types of files) but I'm not able to list every extension
>> such html, htm, php, asp etc. I want to make Internet service
>
> The pattern to match for the common web files is quite short:
>
> # defined white-list of acceptable web file extensions
> acl webFiles urlpath_regex -i
> [^?]*(\.([xd]?html?|aspx?|php[345]?|cgi|css|js|jpe?g|gif|png|x[ms]l||xst|swf)|/)(\?.*)?$
>
>
>> available for clients but I want to deny DOWNLOADING files which are
>> not typical office files. And how to do it? I have no idea :)
>
> You face a concept problem:
> In HTTP *everything* including the HTML structure of the page is a
> DOWNLOAD. There is zero difference in file type between a "Download"
> button, a menu bar and some porn. Only the browser controls whether it asks
> to save the object or displays it (eg. opening an XHTML web page in IE4
> will ask you where to save it).
>
> Consider as well how does one find these office files in order to
> download? when the HTML page (or HTML email), download button graphics,
> captcha security, search scripts and layout CSS are all blocked?
>
>
> I really think you need to clarify which types and sizes of object things
> are limited to. Then use http_reply_access on the file rep_mime_type.
> Probably source websites in http_access.
>
>>
>> P.S I was probably unclear earlier. Unfortunately my English is not so
>> well, so sorry :)
>> Konradoz
>>
>>> Amos
>>>
>>>>
>>>> 2010/11/1 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>>> On 01/11/10 12:46, Konrado Z wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I have encountered a problem with ACL. I want to disable download
> all
>>>>>> kinds of files for subnet specified except pdf, doc, xls, txt, zip.
> I
>>>>>> have created officeFile file wich is shown below:
>>>>>>
>>>>>> \.[Dd][Oo][Cc]$
>>>>>> \.[Tt][Xx][Tt]$
>>>>>> etc.
>>>>>>
>>>>>> but,
>>>>>>
>>>>>> acl clients 192.168.56.0/24
>>>>>> acl officeFiles urlpath_regex "/etc/squid/officeFiles"
>>>>>
>>>>> Using -i makes the pattern non-case-sensitive.
>>>>> acl officeFiles urlpath_regex -i \.(doc|txt)$
>>>>>
>>>>>
>>>>>>
>>>>>> and
>>>>>>
>>>>>> http_access deny clients !officeFiles
>>>>>> http_access allow all #It has to be here because it is the last line
>>>>>> in my config which is associated with other ACLS
>>>>>>
>>>>>>
>>>>>> doesn't work because clients cannot open even google.com. I have no
>>>>>> idea, how to overcome that problem. How to write this ACL and
>>>>>> http_access to work properly.
>>>>>> Please help.
>>>>>
>>>>> Please list the exact fill set of patterns you are using. One of them
>>> is
>>>>> probably wrong.
>>>>>
>>>>>
>>>>> You could also match the actual reply mime types. This reply ACL
> allows
>>>>> some
>>>>> types and denies the rest:
>>>>>
>>>>> acl webMime rep_mime_type -i text/html image/jpeg image/png
> image/gif
>>>>> text/css
>>>>> http_reply_access deny !webMime
>>>>>
>>>>>
>>>>> Amos
>>>>> --
>>>>> Please be using
>>>>> Current Stable Squid 2.7.STABLE9 or 3.1.8
>>>>> Beta testers wanted for 3.2.0.2
>>>>>
>>>
>
Received on Tue Nov 02 2010 - 19:30:25 MDT
This archive was generated by hypermail 2.2.0 : Wed Nov 03 2010 - 12:00:02 MDT