On Tuesday 14 February 2006 14:50, TL wrote: > At this moment all the users must authenticate to access internet (NCSA > AUTH) with porn filtering, and im blocking the downloads with an > external firewall which affects all my users behind squid. Must... resist... the temptation... to blame... inefficient porn filtering... ;) > What i need is to allow/block downloads like *.exe; .dll; .com; etc.. to > common users and allow to supervisors using their user/pass . Generally this kind of detection is flawed. Consider these URLs: http://cgi.ebay.com/bid.dll -> false positive http://windozeupdate.microshut.com/update.exe -> false positive http://download.server.net?id=145875 -> false negative We have tried that for years (actually my predecessors did). And it simple doesn't work with users of an IQ above 30. Another way would be looking at the content type that the web site sends with the URL. But then you still depend on what the web server administrator does. If everything would look like text/html then your Squid would just let it through - even if it's porn, MP3s, warez, downloads, $whatever. My personal opinion is: Squid is the best open-source proxy in the world. Just don't try to use it too heavily for security purposes. Since it does not consider the actual content of what's going through it most of the time creating blacklists or ACLs for downloads is wasted. Save the time (which also costs money) and get another proxy that is content-aware and run it in a chain. From talking to other proxy admins of organisations that often the approach they use, too. > -Is it possible to do that based on user/pass instead ip add? Sure. Just use the authentication ACL instead of the IP-based ACL there. > -Could anyone send me an acl example on how to block downloads based on > file extensions ? It often looks like this: acl download_suffix url_regex -i \.(zip|arj|exe|cmd|rar|ace|tar|gz|gtar| rpm|tgz|bz|bz2|bzip|bzip2|elm|bat|vbs|lzh|lha|zoo|chm|sit|msi|iso|mpg| mpeg|mp3|jnlp|bin|drv|sys|scr|mdb|ocx|pif|msg|vsd|vst|386|cab|enc|dml|psf| hqx|mov)($|\?) Since you want to allow everyone non-downloads and restrict downloads to admins this would be a way to do it: http_access allow !download_suffix http_access allow admins <- authentication-based ACL http_access deny all Kindly Christoph -- ~ ~ ".signature" [Modified] 1 line --100%-- 1,48 All
