> -----Original Message----- > From: Andre Fernando Goldacker [mailto:squid@xxxxxxxxxxx] > Sent: Tuesday, February 07, 2006 5:55 AM > To: squid-users@xxxxxxxxxxxxxxx > Subject: Acl blocking .exe files + unblocking some sites > that require .exe files to work > > > Hi, Hello, > > I'm having some trouble with ACLs when I try to block .exe files. > Actually the acl works very well, but some sites use .exe files do > display html content. I have a few webmail sites and some bank sites > that do this. The problem is that I can't figure out how to unblock > them. From what I know, squid reads acl rules from top to > botton so if I > have specified a site to be allowed first, even if there is a blocking > rule below it should ignore it. Below are the related acl rules. The > first 4 lines are ntlm group based rules. The goodextensions > acl is the > one that should allow sites with webmail.exe. Instead of > letting it go, > squid returns me, for ex. that access to the site > http://email.terra.com.br/cgi-bin/webmail.exe? is denied. Does anyone > know what I'm doing wrong? I'm using squid version 2.5.STABLE9. > > Any help will be much appreciated. > > Andre > > > external_acl_type grupo ttl=900 concurrency=150 %LOGIN > /usr/sbin/wbinfo_group.pl > acl acesso external grupo internet > acl CONNECT method CONNECT > acl rede proxy_auth REQUIRED src x.x.x.x/x > > acl badsites dstdomain "/etc/squid/lists/badsites.conf" > acl badwords url_regex -i "/etc/squid/lists/badwords.conf" > acl badextensions urlpath_regex -i > \.(exe|bat|cmd|pif|scr|vbs|mov|mp3|avi|mwa|mwv|mpg)($|\?) > acl malware url_regex -i "/etc/squid/malware/lista.txt" > acl goodsites dstdomain "/etc/squid/lists/goodsites.conf" > acl goodwords url_regex -i "/etc/squid/lists/goodwords.conf" > acl goodextensions urlpath_regex -i webmail.exe($|\?) > acl java_jvm browser Java/1.4 Java/1.5 > > http_access allow manager localhost > http_access deny manager > http_access deny !portaspadrao > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access allow java_jvm > http_access allow rede acesso goodsites goodwords goodextensions Have a look at the FAQ section on ACLs (http://www.squid-cache.org/Doc/FAQ/FAQ-10.html). Especially the part at http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.8 I'll quote the relevant bit for posterity: You've probably noticed (and been frustrated by) the fact that you cannot combine access controls with terms like ``and'' or ``or.'' These operations are already built in to the access control scheme in a fundamental way which you must understand. * All elements of an acl entry are OR'ed together. * All elements of an access entry are AND'ed together. e.g. http_access and icp_access. For example, the following access control configuration will never work: acl ME src 10.0.0.1 acl YOU src 10.0.0.2 http_access allow ME YOU In order for the request to be allowed, it must match the ``ME'' acl AND the ``YOU'' acl. This is impossible because any IP address could only match one or the other. This should instead be rewritten as: acl ME src 10.0.0.1 acl YOU src 10.0.0.2 http_access allow ME http_access allow YOU > http_access allow rede acesso !badsites !badwords !badextensions > !malware > http_access deny all > http_reply_access allow all > icp_access allow all > Chris
