But how to write properly sth like this 'http_access allow clients|managers|clients2 #Squid cannot start with that line' I want to replace 'http_access allow all' line with this given above. Best 2010/11/2 Konrado Z <konradoz@xxxxxxxxxxxxxxxx>: > Yep, of course it shoud be http_reply_access. > Thanks Amos it's that what I need > > 2010/11/2 Konrado Z <konradoz@xxxxxxxxxxxxxxxx>: >> OK so I have definied >> >> acl webMimes rep_mime_type -i "etc/squid/mimes" >> >> Mimes file: >> text/(html|css|plain|richtext) >> application/(msword|pdf|vnd.ms-powerpoint|vnd.ms-excel|zip|x-compress) >> image/(bmp|gif|jpeg|png|tiff|gif) >> >> and http_access section: >> #http_access deny clients workingHours funWebsites >> http_access deny clients !webMimes >> http_access allow all >> >> Unfortunately 'clients' cannot browse any website even sth like >> exampleDomain/exampleFile.txt >> >> Any suggestions? >> >> 2010/11/2 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>> On Mon, 1 Nov 2010 23:01:42 +0100, Konrado Z <konradoz@xxxxxxxxxxxxxxxx> >>> wrote: >>>> Thanks for your response. >>>> >>>>>> acl officeFiles urlpath_regex "/etc/squid/officeFiles" >>>>>> >>>>>> http_access deny clients workingHours funWebsites >>>>>> http_access deny clients !officeFiles >>>>>> http_access allow all >>>>> >>>>> NP: "allow all" means traffic from the entire Internet. That should be >>>>> "allow clients". >>>>> >>>> >>>> Thanks that is a useful tip >>>> >>>>> >>>>> As requested earlier: >>>>> "Please list the exact fill set of patterns you are using. One of them >>>>> is probably wrong." >>>>> >>>>> That means the exact and full content of /etc/squid/officeFiles. Sorry >>> if >>>>> I was unclear. >>>> >>>> \.[Dd][Oo][Cc]$ >>>> \.[Pp][Dd][Ff]$ >>>> \.[Xx][Ll][Ss]$ >>>> \.[Zz][Ii][Pp]$ >>>> \.[Gg][Ii][Ff]$ >>>> \.[Pp][Pp][Tt]$ >>>> >>>> And jpg, rar, tiff, bmp, txt in the same style. >>>> >>>> I know that using this into http_access deny clients !officeFiles >>>> causes blocking the whole WWW service (clients are allowed to download >>>> only these types of files) but I'm not able to list every extension >>>> such html, htm, php, asp etc. I want to make Internet service >>> >>> The pattern to match for the common web files is quite short: >>> >>> # defined white-list of acceptable web file extensions >>> acl webFiles urlpath_regex -i >>> [^?]*(\.([xd]?html?|aspx?|php[345]?|cgi|css|js|jpe?g|gif|png|x[ms]l||xst|swf)|/)(\?.*)?$ >>> >>> >>>> available for clients but I want to deny DOWNLOADING files which are >>>> not typical office files. And how to do it? I have no idea :) >>> >>> You face a concept problem: >>> In HTTP *everything* including the HTML structure of the page is a >>> DOWNLOAD. There is zero difference in file type between a "Download" >>> button, a menu bar and some porn. Only the browser controls whether it asks >>> to save the object or displays it (eg. opening an XHTML web page in IE4 >>> will ask you where to save it). >>> >>> Consider as well how does one find these office files in order to >>> download? when the HTML page (or HTML email), download button graphics, >>> captcha security, search scripts and layout CSS are all blocked? >>> >>> >>> I really think you need to clarify which types and sizes of object things >>> are limited to. Then use http_reply_access on the file rep_mime_type. >>> Probably source websites in http_access. >>> >>>> >>>> P.S I was probably unclear earlier. Unfortunately my English is not so >>>> well, so sorry :) >>>> Konradoz >>>> >>>>> Amos >>>>> >>>>>> >>>>>> 2010/11/1 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>>>>>> On 01/11/10 12:46, Konrado Z wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I have encountered a problem with ACL. I want to disable download >>> all >>>>>>>> kinds of files for subnet specified except pdf, doc, xls, txt, zip. >>> I >>>>>>>> have created officeFile file wich is shown below: >>>>>>>> >>>>>>>> \.[Dd][Oo][Cc]$ >>>>>>>> \.[Tt][Xx][Tt]$ >>>>>>>> etc. >>>>>>>> >>>>>>>> but, >>>>>>>> >>>>>>>> acl clients 192.168.56.0/24 >>>>>>>> acl officeFiles urlpath_regex "/etc/squid/officeFiles" >>>>>>> >>>>>>> Using -i makes the pattern non-case-sensitive. >>>>>>> acl officeFiles urlpath_regex -i \.(doc|txt)$ >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> and >>>>>>>> >>>>>>>> http_access deny clients !officeFiles >>>>>>>> http_access allow all #It has to be here because it is the last line >>>>>>>> in my config which is associated with other ACLS >>>>>>>> >>>>>>>> >>>>>>>> doesn't work because clients cannot open even google.com. I have no >>>>>>>> idea, how to overcome that problem. How to write this ACL and >>>>>>>> http_access to work properly. >>>>>>>> Please help. >>>>>>> >>>>>>> Please list the exact fill set of patterns you are using. One of them >>>>> is >>>>>>> probably wrong. >>>>>>> >>>>>>> >>>>>>> You could also match the actual reply mime types. This reply ACL >>> allows >>>>>>> some >>>>>>> types and denies the rest: >>>>>>> >>>>>>> acl webMime rep_mime_type -i text/html image/jpeg image/png >>> image/gif >>>>>>> text/css >>>>>>> http_reply_access deny !webMime >>>>>>> >>>>>>> >>>>>>> Amos >>>>>>> -- >>>>>>> Please be using >>>>>>> Current Stable Squid 2.7.STABLE9 or 3.1.8 >>>>>>> Beta testers wanted for 3.2.0.2 >>>>>>> >>>>> >>> >> >
