RE: [squid-users] transparent Proxy

From: Thomas Raef <traef06@dont-contact.us>
Date: Thu, 1 Nov 2007 06:04:35 -0500

> Thomas Raef wrote:
> > You need to apply your acls with some deny statements.
> >
> > http_reply_access deny blockfiles for your mp3's, etc.
> >
> > To block websites I use dstdomain instead of url_regex.
> >
> > So my squid.conf contains:
> >
> > acl blocksites dstdomain "/etc/squid/squid-block.acl"
> >
> > http_access deny blocksites
> >
> >
> > One other suggestion would be to block by filetype and not just file
> > extension.
> >
> >> Hi List,
> >> I'm new to this list. i have a question about
transparent
> >> proxy. if i apply an ACL for downloading mp3 and mpeg. but it's not
> >> working, user's are able to download mp3 or mpeg...
> >> here is my config..squid.conf file.
> >>
> >> port 8080
> >> acl blocksites url_regex "/etc/squid/squid-block.acl"
>
> That should be:
>
> acl blocksites dstdomain "/etc/squid/squid-block.acl"
>
> >>
> >> "quid-block.acl"
> >> .meebo.coms
> >> .sex.com
>
>
>
> >>
> >> acl blockfiles urlpath_regex "/etc/squid/multimedia.files.acl"
> >>
> >> "multimedia.files.acl"
> >> \.[Aa][Vv][Ii]$
> >> \.[Mm][Pp][Gg]$
> >> \.[Mm][Pp][Ee][Gg]$
> >> \.[Mm][Pp]3$
>
> you can also simplify your regex a LOT, by adding -i to the acl and
> making it case insensitive.
>
> acl blockfiles urlpath_regex -i "..."
>
> http_access is the best to use with this, it catches things on the way
> out before using up any bandwidth.
>
> http_access deny blocksites
> http_access deny blockfiles
>
> as Thomas Raef said earlier there is also the rep_mime_type acl for
> catching anything incoming that uses other file extensions (scripts
etc)
>
> Amos
[Tom replied with:]

Ah yes. I recommended http_reply_access and as Amos stated correctly it
should be http_access.

For the rep_mime_type acl you could use:

acl blockfile_type rep_mime_type audio/mpeg
...
http_reply_access deny blockfile_type

Thomas J. Raef
e-Based Security, LLC
www.ebasedsecurity.com
1-866-838-6108
"You're either hardened, or you're hacked!"
Received on Thu Nov 01 2007 - 05:04:38 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:01 MST