Re: [squid-users] Allowing downloads from certain sites

From: Chaitanya Shastri <chait.shastri_at_gmail.com>
Date: Fri, 29 Jun 2012 18:06:55 +0530

Hi,
  My question is simple. I have blocked all the downloads on my LAN
systems using acl rules. But there is a trusted domain, say
"example.com" from which users on my LAN should be able to download
any file. For example: zip or exe file. I do not have site restriction
on that site. So all users can access the site, but they are not able
to download through that site.
I tried using \.microsoft\.com using dstdomain acl type. But its not
working. The http_reply_access rule is denying the download.
I have following configuration:

acl allow_downloads dstdomain -i \.microsoft\.com
http_reply_access allow allow_downloads
http_reply_access deny all

I want to allow downloading from "example.com" domain while still
restricting downloads from other domains.
Any ideas?

Thanks.

On Fri, Jun 29, 2012 at 5:32 PM, Edmonds Namasenda <namasenda_at_gmail.com> wrote:
>>> Shastri, try the below
>>>
>>> Assume...
>>> 1. Preventing Downloads File (nodowns.txt) has the following
>>> \.msi$
>>> \.exe$
>>> \.zip$
>>> \.etc$
>
> The above is regex
>
>>>
>>> 2. Trusted Sites File (goodsites.txt) has the following
>>> *.*microsoft*.com*
>>> *.*windows*.com*
>>> *.*etc*.com*.com*
>>
>>
>> WTF? Does regex even accept that?
>>
>> *.*microsoft*.com*
>
> Amos, the above is dstdomain. You must have missed the regex entries
> before this.
>
>>
>>  ==>   (zero or more 'nothings')(zero or more characters)(the text
>> "microsof")(zero or more 't' characters)(any single character)(thetext
>> "co")(zero or more 'm' characters)
>>
>> Don't you mean this?
>>  \.microsoft\.com
>>  \.windows\.com
>>  \.etc\.com\.com
>>
>
> Thanks for that insight.
>
>>
>> Or perhapse the better version:
>>
>>  acl goodsites dstdomain .microsoft.com .windows.com .etc.com.com
>>
>>
>
> Will that not be too much is you have a long list of sites?
>
>>>
>>> 3. Accompanying ACLs for files above
>>> acl nodowns urlpath_regex -i "/path_to/nodowns.txt" # With quotation marks
>>> acl goodsites dstdomains -i "/path_to/goodsites.txt" # With quotation
>>> marks
>>>
>>> 4. Controlling Rule
>>> http_access deny nodowns !goodsites # Put it above any "allow" rule
>>>
>>> The above is my thinking, and I could do with correction.
>>>
>>> # Edmonds
>>
>>
>> Pretty much. The problem is that Chaitanya supplied no details about their
>> config. Could be much simpler or much more complicated.
>>
>> Amos
>>
>>>
>>> On Fri, Jun 29, 2012 at 12:30 PM, Chaitanya Shastri wrote:
>>>>
>>>> Hi Amos,
>>>>
>>>>    I have acl rules for preventing downloads on client machines. So a
>>>> client cannot download any file (for example, .exe, .zip .. etc ) on
>>>> his/her machine.
>>>> What I want is that all clients should be able to download any type of
>>>> file from certain trusted domain.
>>>> In short I want to allow a domain in my squid configuration from which
>>>> any client can download any type of file.
>>>>
>>>> Thanks.
>>>>
>>>> On Fri, Jun 29, 2012 at 1:15 PM, Amos Jeffries wrote:
>>>>>
>>>>> On 29/06/2012 6:10 p.m., Chaitanya Shastri wrote:
>>>>>>
>>>>>> Hi list,
>>>>>>
>>>>>>    Is it possible to allow downloads from certain trusted sites?  I
>>>>>> tried using the url_regex acl to list certain trusted sites from which
>>>>>> our users can download any file.
>>>>>>
>>>>>>    Ex. acl allow_downloads url_regex -i ^http:\/\/example\.com
>>>>>>          http_reply_access allow allow_downloads localnet  # where
>>>>>> localnet is my LAN range
>>>>>>
>>>>>>    But its not working. Any ideas on how to get it work?
>>>>>>
>>>>>> Thanks.
>>>>>
>>>>>
>>>>> Any idea what is blocking them from working in the first place?
>>>>>
>>>>> Amos
>>>>>
Received on Fri Jun 29 2012 - 12:37:03 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 29 2012 - 12:00:04 MDT