OK so I have definied acl webMimes rep_mime_type -i "etc/squid/mimes" Mimes file: text/(html|css|plain|richtext) application/(msword|pdf|vnd.ms-powerpoint|vnd.ms-excel|zip|x-compress) image/(bmp|gif|jpeg|png|tiff|gif) and http_access section: #http_access deny clients workingHours funWebsites http_access deny clients !webMimes http_access allow all Unfortunately 'clients' cannot browse any website even sth like exampleDomain/exampleFile.txt Any suggestions? 2010/11/2 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On Mon, 1 Nov 2010 23:01:42 +0100, Konrado Z <konradoz@xxxxxxxxxxxxxxxx> > wrote: >> Thanks for your response. >> >>>> acl officeFiles urlpath_regex "/etc/squid/officeFiles" >>>> >>>> http_access deny clients workingHours funWebsites >>>> http_access deny clients !officeFiles >>>> http_access allow all >>> >>> NP: "allow all" means traffic from the entire Internet. That should be >>> "allow clients". >>> >> >> Thanks that is a useful tip >> >>> >>> As requested earlier: >>> "Please list the exact fill set of patterns you are using. One of them >>> is probably wrong." >>> >>> That means the exact and full content of /etc/squid/officeFiles. Sorry > if >>> I was unclear. >> >> \.[Dd][Oo][Cc]$ >> \.[Pp][Dd][Ff]$ >> \.[Xx][Ll][Ss]$ >> \.[Zz][Ii][Pp]$ >> \.[Gg][Ii][Ff]$ >> \.[Pp][Pp][Tt]$ >> >> And jpg, rar, tiff, bmp, txt in the same style. >> >> I know that using this into http_access deny clients !officeFiles >> causes blocking the whole WWW service (clients are allowed to download >> only these types of files) but I'm not able to list every extension >> such html, htm, php, asp etc. I want to make Internet service > > The pattern to match for the common web files is quite short: > > # defined white-list of acceptable web file extensions > acl webFiles urlpath_regex -i > [^?]*(\.([xd]?html?|aspx?|php[345]?|cgi|css|js|jpe?g|gif|png|x[ms]l||xst|swf)|/)(\?.*)?$ > > >> available for clients but I want to deny DOWNLOADING files which are >> not typical office files. And how to do it? I have no idea :) > > You face a concept problem: > In HTTP *everything* including the HTML structure of the page is a > DOWNLOAD. There is zero difference in file type between a "Download" > button, a menu bar and some porn. Only the browser controls whether it asks > to save the object or displays it (eg. opening an XHTML web page in IE4 > will ask you where to save it). > > Consider as well how does one find these office files in order to > download? when the HTML page (or HTML email), download button graphics, > captcha security, search scripts and layout CSS are all blocked? > > > I really think you need to clarify which types and sizes of object things > are limited to. Then use http_reply_access on the file rep_mime_type. > Probably source websites in http_access. > >> >> P.S I was probably unclear earlier. Unfortunately my English is not so >> well, so sorry :) >> Konradoz >> >>> Amos >>> >>>> >>>> 2010/11/1 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>>>> On 01/11/10 12:46, Konrado Z wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> I have encountered a problem with ACL. I want to disable download > all >>>>>> kinds of files for subnet specified except pdf, doc, xls, txt, zip. > I >>>>>> have created officeFile file wich is shown below: >>>>>> >>>>>> \.[Dd][Oo][Cc]$ >>>>>> \.[Tt][Xx][Tt]$ >>>>>> etc. >>>>>> >>>>>> but, >>>>>> >>>>>> acl clients 192.168.56.0/24 >>>>>> acl officeFiles urlpath_regex "/etc/squid/officeFiles" >>>>> >>>>> Using -i makes the pattern non-case-sensitive. >>>>> acl officeFiles urlpath_regex -i \.(doc|txt)$ >>>>> >>>>> >>>>>> >>>>>> and >>>>>> >>>>>> http_access deny clients !officeFiles >>>>>> http_access allow all #It has to be here because it is the last line >>>>>> in my config which is associated with other ACLS >>>>>> >>>>>> >>>>>> doesn't work because clients cannot open even google.com. I have no >>>>>> idea, how to overcome that problem. How to write this ACL and >>>>>> http_access to work properly. >>>>>> Please help. >>>>> >>>>> Please list the exact fill set of patterns you are using. One of them >>> is >>>>> probably wrong. >>>>> >>>>> >>>>> You could also match the actual reply mime types. This reply ACL > allows >>>>> some >>>>> types and denies the rest: >>>>> >>>>> acl webMime rep_mime_type -i text/html image/jpeg image/png > image/gif >>>>> text/css >>>>> http_reply_access deny !webMime >>>>> >>>>> >>>>> Amos >>>>> -- >>>>> Please be using >>>>> Current Stable Squid 2.7.STABLE9 or 3.1.8 >>>>> Beta testers wanted for 3.2.0.2 >>>>> >>> >
