You have allowed the http request to the site, but you have denied the
reply. http_access and http_reply access are different rule types.
If you add an "http_reply_access allow no_filter_dest" above the last
rule I think it will work.
Thanks
Alex
On 31/03/13 12:21, richard lucassen wrote:
Hello list, Yet Another Access List Question.
As the doc says:
"Access list rules are checked in the order they are written. List
searching terminates as soon as one of the rules is a match."
Well, that's quite clear I'd say. But why isn't this working properly:
############################################################
acl richard2_src 92.68.12.178
[..]
acl no_filter_dst dstdomain "/etc/squid/nofilter.domains.txt"
acl allow_mime_types rep_mime_type -i ^text/.* ^image/.*
^text/plain ^text/html ^application/.*ms.*word.*
^application/.*ms.*excel.* ^application/.*pdf.* ^application/.*xml.*
^application/.*java.*
[..]
http_access allow no_filter_dst
http_reply_access deny !allow_mime_types richard2_src
[..]
############################################################
$ cat /etc/squid/nofilter.domains.txt
.xaq.nl
The MIME type filter is working properly. But if I visit
http://www.xaq.nl/ there is an swf file which should be blocked by the
"allow_mime_types". But as the domain is allowed in the rule above
"allow_mime_types", the "no_filter_dst", I'd expect that squid accepts
the swf on that particular page. But it is denied:
1364728671.633 7 92.68.12.178 TCP_DENIED/403 1532 GET
http://www.xaq.nl/clock.swf - DIRECT/192.87.112.211 text/html
Why is that?
R.
