Hi, I have been using Squid 2.6 with DansGuardian 2.9 for a while now and it's been working well, blocking downloads of various file types, etc. However, I'm just seeing today (not sure how long this has been going on!) that *some* sites are allowing exes to come through. What I'm seeing in the Squid access.log is like this (I tested from download.com with a normal account not allowed to download) TCP_MISS/200 185021 GET http://software-files.download.com/sd/g33i94D6JAAXtGO-PPSk_XhSmDf4MVuRC4 CEP8QJjHfCg4aBx59AvP9DditCgw90rjIIHWsyB3P5NLlDhNcQeboRWRI19e-Z/software/ 10607469/10279647/3/Scorched3D-40.1d.exe?lop=link&ptype=3000&ontid=7486& siteId=4&edId=3&pid=10607469&psid=10279647 test DIRECT/216.239.112.15 application/octet-stream Is there something in the way this URL is written that sends this request out DIRECT instead of through the parent (DG) proxy? If I go to a different (I just picked this one off of Google) with a link like this: http://admin.u15194059.onlinehome-server.com/cgi-bin/mysql/dl.pl?dbname= FH&table=Desktop&ID=2707 it denies like it should (gives link of http://www.ezytools.com/magikfortune/downloads/magikfortunesetup.exe if it doesn't start automatically.) I tried another download from download.com and it worked fine also! What am I missing here that is making the difference? My squid.conf has NO direct allow access statements in it at all. I have one cache_peer statement, as such: <blah> parent 8080 7 no-query login=*:password default no-digest Here is another example of a line in access.log (pulled from LightSquid) where a download was allowed: http://software-files.download.com/sd/4QvrUWIggcGX-pVkX7SrgGrdSMh3zi0Fse kaZCd_9HxMN6vjVznlblKs501Cv6VntU-dHhPL4lpTL1iskc2_WQfifVnwnnSM/software/ 10603791/10408296/3/swiftswitch(install).exe?lop=link&ptype=3000&ontid=7 541&siteId=4&edId=3&pid=10603791&psid=10408296 (corresponding entry in access.log: TCP_MISS/200 2882605 GET http://software-files.download.com/sd/4QvrUWIggcGX-pVkX7SrgGrdSMh3zi0Fse kaZCd_9HxMN6vjVznlblKs501Cv6VntU-dHhPL4lpTL1iskc2_WQfifVnwnnSM/software/ 10603791/10408296/3/swiftswitch(install).exe?lop=link&ptype=3000&ontid=7 541&siteId=4&edId=3&pid=10603791&psid=10408296 <USERNAME> DIRECT/216.239.126.205 application/octet-stream) Is the URL somehow causing something strange to happen? I see a number of DIRECT lines in the access.log, not sure what the pattern is. I am seeing a lot of the following in cache.log if this means anything with this: 2006/11/21 11:37:54| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic cGh5bGxpcy5oeWF0dDpDaGFuZWwh' [2006/11/21 11:38:07, 1] libsmb/ntlmssp.c:ntlmssp_update(267) got NTLMSSP command 3, expected 1 I am using NTLM auth only, no basic is configured. Should I turn on basic then or does this first error really matter? What about the 2nd error? Any suggestions on where to look for a cause? Thanks, Geoff
