On 11/03/2016 4:31 p.m., Victor Sudakov wrote: > Dear Colleagues, > > New Internet access rules are being introduced in our company, among > them there is a requirement to have special groups of Internet users > who are permitted to: > > 1. Download files from the Internet. > That one is easy. *everything* in HTTP is downloaded. It is only how you view it that changes (in-browser vs. out-of-browser). "http_access deny all" But perhapse there is a more detailed definition of "files" that was intended. > 2. Use Web forums. > > 3. Use streaming audio/video. > > By default users should have no access to the above facilities. > > These requirements may sound stupid and vague to some, but is there a > way to accomodate them at least partially, without keeping long lists > of prohibited file extensions and domains, which is very > counterproductive? Not stupid at all. There are some good reasons any of these might be needed. The vagueness is the main problem. > 1. Download files from the Internet. > That one is easy >:-). *everything* in HTTP is downloaded. It is only how you view it that changes (in-browser vs. out-of-browser). So: "http_access deny all" But perhapse there is a more detailed definition of "files" that was intended. See the example for #3 below. Once you can narrow down *what types* of files are relevant (audio, video, executables, archives, pdf, text, flash, etc, etc ?) you can use reply content-type restriction to control them arriving. NP: Squid will still fetch them from the server (we cant stop that at least starting to arrive), but be blocked from delivering to the user. Note that streaming (#3) is just a audio/video file being downloaded. It happens to be being played at the same time. But it is still a download. > 2. Use Web forums. Likewise. Anything in www can be a forum. To do anything useful "forums" needs to be defined in a technical way. As does "use". I expect this one will end up being a long list of domains just by itself. > > 3. Use streaming audio/video. This is somewhat easier than #1. Since "audio/video" is already a clear technical definition. <http://wiki.squid-cache.org/ConfigExamples/#Multimedia_and_Data_Stream_filtering> Example is not complete by any means. But demonstrates how to do it for the AV stuff you want to block. You may also want to use: acl radio proto ICY http_reply_access deny radio > > I am perfectly aware that an advanced Internet user will be able to > circumvent those prohibitions, but still, any recipes? I have looked > in http://wiki.squid-cache.org/SquidFaq/SquidAcl but found nothing > very useful. Without technical definitions for "files", "forums", and "use" its all just too vague. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
