On Tue, 17 Aug 2010 23:56:01 +0200, Stefan Jensen <sjensen@xxxxxxxxxxx> wrote: > Hi,... > > i'm using "squid-3.1.4-2.fc13.x86_64" and have a acl for update-sites > e.g.: > > acl updates dstdomain .windowsupdate.microsoft.com > www.update.microsoft.com .windowsupdate.com download.microsoft.com > ntservicepack.microsoft.com wustat.windows.com urs.microsoft.com > spynet2.microsoft.com current.cvd.clamav.net clamwin.sourceforge.net > database.clamav.net java.sun.com javadl-esd.sun.com > > and for working-time e.g.: > > acl worktime time MTWHF 08:00-17:00 > http_access deny !localweb !updates !worktime > > This works fine for the Windows boxes, but for Linux clients, i have > problems allowing 24h access for updates, because of most linux > package-manager uses some kind of mirrorlists with "metalinks". > > Here is a sample file, that is requested by the package-manager and > contains a list of mirrors: > > https://mirrors.fedoraproject.org/metalink?repo=fedora-source-13&arch=i386 > > How can i allow access based on the content of that metalink file? Is > that passible? I don't want to hook all linux boxes on a single mirror. Why not? restricting to a small sub-set of close or fast mirrors can improve your bandwidth speeds and overall long-haul costs. Squid does not itself consider the data content of any requests beyond the basic requirements of transfer encoding. You will have to find or create helpers to do the inspection and store the results and an external_acl_type helper to give Squid a live verdict about whats currently okay to accept. An ICAP or eCAP adapter saving okay URLs/domains to a BerkleyDB (1.85 format) could leverage the session helper. Amos