Re: [squid-users] i want to block images with size more than 40 KB
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 So far, this has not been done. You can be the first! ;) 25.03.15 12:25, snakeeyes пишет: Thank you. Can you help me with this feature ? cheers -Original Message- From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Yuri Voinov Sent: Tuesday, March 24, 2015 1:58 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] i want to block images with size more than 40 KB Don't think so. Probably you'll have to write your own helper to handle dynamic content. Or use the content adaptaion feature. 25.03.15 11:34, snakeeyes пишет: BTW can squid block dynamically loaded images, and ajax request which return images. I want that on yahoo and google Is that possible ? = , thanks it seems okay for normal http sites I want to ask , is there a trick can we do it so that it be applied to google yahoo images search ?? Here is wt I see in yahoo logs , just small logs and all images are allowed and not blocked = 1426881748.078 70740 x.70 TCP_MISS/200 11790 CONNECT js.dmtry.com:443 - DIRECT/184.170.128.58 - 1426881749.077103 xx.70 TCP_MISS/200 2228 POST http://sd.symcd.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881749.752 29 xx.70 TCP_MISS/200 2228 POST http://sd.symcd.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881750.098 21 xx.70 TCP_MISS/200 393 GET http://ping.chartbeat.net/ping? - DIRECT/23.21.149.132 image/gif 1426881750.731 62443 xx.70 TCP_MISS/200 122185 CONNECT www.gstatic.com:443 - DIRECT/206.126.112.185 - 1426881751.476 xx.70 TCP_MISS/200 4191 CONNECT secure.footprint.net:443 - DIRECT/8.12.219.125 - 1426881752.215505 xxx.70 TCP_MISS/200 459 CONNECT secure.footprint.net:443 - DIRECT/8.12.219.125 - 1426881753.005 1091 xx.70 TCP_MISS/200 5303 CONNECT av.beap.bc.yahoo.com:443 - DIRECT/76.13.28.21 - 1426881762.280 12994 188.161.107.70 TCP_MISS/200 5502 CONNECT d.adgear.com:443 - DIRECT/205.204.71.140 - 1426881764.215 16497 xx70 TCP_MISS/200 9832 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881764.216 16453 x.70 TCP_MISS/200 6534 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881765.044 18777 x.70 TCP_MISS/200 11132 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881765.681 15193 xx.107.70 TCP_MISS/200 6225 CONNECT comet.yahoo.com:443 - DIRECT/72.30.196.161 - 1426881765.691 14149 xx.107.70 TCP_MISS/200 832 CONNECT comet.yahoo.com:443 - DIRECT/72.30.196.161 - 1426881766.046 116219 xx.70 TCP_MISS/200 529 CONNECT d31qbv1cthcecs.cloudfront.net:443 - DIRECT/54.230.16.189 - 1426881766.714296 xx.70 TCP_MISS/200 2228 POST http://ocsp.verisign.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881770.049 117609 xx107.70 TCP_MISS/200 711 CONNECT d5nxst8fruw4z.cloudfront.net:443 - DIRECT/54.240.160.97 - 1426881780.403 67786 xx.70 TCP_MISS/200 852 CONNECT www.yahoo.com:443 - DIRECT/98.139.180.149 - 1426881781.519 353 xx.70 TCP_MISS/200 571 GET http://data.cnn.com/jsonp/breaking_news/domestic.json? - DIRECT/157.166.249.67 application/javascript 1426881782.057 118788 xx.70 TCP_MISS/200 19972 CONNECT cdn2sitescout-a.akamaihd.net:443 - DIRECT/23.15.4.18 - 1426881790.558 71055 xx TCP_MISS/200 26805 CONNECT s.yimg.com:443 - DIRECT/206.190.56.191 - 1426881814.445 100461 xx TCP_MISS/200 124129 CONNECT ca.yahoo.com:443 - DIRECT/98.139.180.149 - 1426881818.437 70709 xx70 TCP_MISS/200 8503 CONNECT beap-bc.yahoo.com:443 - DIRECT/206.190.57.60 - regards -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, March 20, 2015 9:56 AM To: snakeeyes Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] i want to block images with size more than 40 KB On 21/03/2015 12:05 p.m., snakeeyes wrote: Hi amos , thanks for reply I have tried @ top of squidf.conf acl images rep_header Content-Type ^image/ ^x-image/ acl small rep_header Content-Length ^[1234]?[0-9]$ http_reply_access deny small images are you sure that its blocking images with size 40KB Sorry I slightly mis-read your request. What I gave is blocking images *smaller* than 40 bytes (see what I mean about cut-n-paste without understanding?). To block images *over* 40 bytes change that to: http_reply_access deny !small images also I didn’t see extensions like jpg or bmp or similar like that ??!! Because HTTP does not transfer files. It transfers data. Sometimes data can *also* be found inside files, sometimes not. HTTP Content-Type header describes what format the data is. In this case you requested images in general, so thats the pattern I gave. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list
Re: [squid-users] assertion failed: client_side.cc:1515: connIsUsable(http-getConn())
Resending this after the last attempt went into the mail server black hole: Hey Amos I decided I’m not confident enough in 3.5.HEAD, after last time, to go back into production with it. Going to to do some more local testing first. That being said, I now have 3.4.12 in production with optimisations disabled and it seems to be doing fine performance and stability-wise. I only managed to capture one crash with optimisations disabled, so far, but it seemed to have some memory-related corruption, unfortunately. Updates to come over the next few days. On 23 March 2015 at 16:59, Dan Charlesworth d...@getbusi.com wrote: Hey Amos I decided I’m not confident enough in 3.5.HEAD, after last time, to go back into production with it. Going to to do some more local testing first. That being said, I now have 3.4.12 in production with optimisations disabled and it seems to be doing fine performance and stability-wise. I only managed to capture one crash with optimisations disabled, so far, but it seemed to have some memory-related corruption, unfortunately. More to come tomorrow :-) On 20 Mar 2015, at 6:37 pm, Amos Jeffries squ...@treenet.co.nz wrote: On 20/03/2015 8:34 p.m., Dan Charlesworth wrote: Thanks Amos. I'll put together a build with the upcoming snapshot on Monday, might even try disabling optimization for it too. Please do. If you're only getting 40 RPS out of the proxy during the test its hard to see how not optimizing the code could be any worse, and it will help identifiying some traffic details. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] i want to block images with size more than 40 KB
I am pretty sure that squid doesn't have the function\option but maybe there are others that do posses or able to fulfill this feature. As much as I want new features and improvements in squid it is still possible for others to be able to write these bits of code. Not been done.. ie in squid... squid is not the only software on the planet that does all sorts of ACLs. Even if this page: http://ngtech.co.il/squid/who_is_running_it/ Is the reality it doesn't mean that everybody should use squid and not seek or look at other options. Even all these that are mentioned in the page above have their own developments which are not related to squid or Linux or BSD or any other OS. Even if someone doesn't like it this is still the reality and even Linux with all his helpers are humans like any other human on the planet and it is possible in every moment that they can make a mistake and we are here to help them and all the other humans that are on the plant in this case that a mistake is happening. Eliezer Croitoru On 24/03/2015 23:46, Yuri Voinov wrote: So far, this has not been done. You can be the first!;) ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] load balancing and site failover
On 25/03/2015 9:55 a.m., brendan kearney wrote: Was not sure if bugzilla was used for mailing list issues. If you would like me to open one, I will but it looks like the list is working again. Bugzilla is used, list bugs under the project services product. As for your query... On Mar 24, 2015 2:25 PM, Brendan Kearney wrote: On Tue, 2015-03-24 at 10:18 -0400, Brendan Kearney wrote: while load balancing is not a requirement in a proxy environment, it does afford a great deal of functionality, scaling and fault tolerance in one. several if not many on this list probably employ them for their proxies and likely other technologies, but they are not all created equal. i recently looked to see if a specific feature was in HAProxy. i was looking to see if HAProxy could reply to a new connection with a RST packet if no pool member was available. the idea behind this is, if all of the proxies are not passing the service check and are marked down by the load balancer, the reply of a RST in the TCP handshake (i.e. SYN - RST, not SYN - SYN/ACK - ACK) tells the browser to failover to the next proxy assigned by the PAC file. where i work, we have this configuration working. the load balancers are configured with the option to send a reset when no proxy is available in the pool. the PAC file assigns all 4 of the proxy VIPs in a specific order based on which proxy VIP is assigned as the primary. In every case, if the primary VIP does not have an available pool member, the browser fails over to the next in the list. failover would happen again, if the secondary VIP replies with a RST during the connection establishing. the process repeats until a TCP connection establishes or all proxies assigned have been exhausted. the browser will use the proxy VIP that it successfully connects to, for the duration of the session. once the browser is closed and reopened, the evaluation of the PAC file occurs again, and the process starts anew. plug-ins such as Proxy Selector are the exception to this, and can be used to reevaluate a PAC file by selecting it for use. we have used this configuration several times, when we found an ISP link was flapping or some other issue more global in nature than just the proxies was affecting our egress and internet access. i can attest to the solution as working and elegantly handling site wide failures. being that the solutions where i work are proprietary commercial products, i wanted to find an open source product that does this. i have been a long time user of HAProxy, and have recommended it for others here, but sadly they cannot perform this function. per their mailing list, they use the network stack of the OS for connection establishment and cannot cause a RST to be sent to the client during a TCP handshake if no pool member is available. they suggested an external helper that manipulates IPTables rules based on a pool member being available. they do not feel that a feature like this belongs in a layer 4/7 reverse proxy application. They are right. HTTP != TCP. In particular TCP depends on routers having a full routing map of the entire Internet (provided by BGP) and deciding the best upstream hop based on that global info. Clients have one (and only one) upstream router for each server they want to connect to. In HTTP each proxy (aka router) performs independent upstream connection attempts, failover, and verifies it worked before responding to the client with a final response. Each proxy only has enough detail to check its upstream(s). Each proxy can connect to any server (subject to ACLs). my search for a load balancer solution went through ipvsadm, balance and haproxy before i selected haproxy. haproxy was more feature rich than balance, and easier to implement than ipvsadm. do any other list members have a need for such a feature from their load balancers? do any other list members have site failover solutions that have been tested or used and would consider sharing their design and/or pain points? i am not looking for secret sauce or confidential info, but more high level architecture decisions and such. I havent tested it but this should do what you are asking: acl err http_status 500-505 408 deny_info TCP_RESET err http_reply_access deny err It replaces the response from Squid with a TCP RST packet. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] I am seeing the following in my cache.log
On 25/03/2015 2:05 p.m., Monah Baki wrote: Thanks Amos, My problem is I only have control over the squid server. I can only tell the ISP to take the client offline and run some AntiVirus or better reimage the device. The security problem is that your proxy is receiving over port 80 (*unencrypted* origin server) a request the client apparently sent on port 443 (encrypted origin server). This may be caused by the client browser running a script which is hjacking it. Or somebody between your proxy and the client MITM'ing the connection and sending decrypted content out over the network in the clear. Neither is a desirable situation. Within 2 hours my cache.log grew to 50MB in size and it was repeating the error mentioned over and over again till my squid server started complaining about running out of file descriptors, and stopped working. Your proxy is configured such that it adds the Via header properly for loop detection. However, if there is another proxy stripping away that header and a loop happens it would directly lead to both the FD exhaustion and the extremely large amount of log entries (once per loop). Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] I am seeing the following in my cache.log
Thanks Amos, My problem is I only have control over the squid server. I can only tell the ISP to take the client offline and run some AntiVirus or better reimage the device. Within 2 hours my cache.log grew to 50MB in size and it was repeating the error mentioned over and over again till my squid server started complaining about running out of file descriptors, and stopped working. Thanks On Tue, Mar 24, 2015 at 8:58 PM, Amos Jeffries squ...@treenet.co.nz wrote: On 25/03/2015 9:05 a.m., Monah Baki wrote: Thanks Yuri for the URL. The company is a small ISP using policy based routing, so using WPAD or GPO isn't feasible. Did you start reading with the problem explanation? the bit about whats Squid's testing for and how to interpret the log lines? Your log is saying that there is a client sending requests on port 80 which claim to be requests *on port 443*. Even if the IP matches facebook the port dont. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Testing - please ignore
___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] i want to block images with size more than 40 KB
BTW can squid block dynamically loaded images, and ajax request which return images. I want that on yahoo and google Is that possible ? = , thanks it seems okay for normal http sites I want to ask , is there a trick can we do it so that it be applied to google yahoo images search ?? Here is wt I see in yahoo logs , just small logs and all images are allowed and not blocked = 1426881748.078 70740 x.70 TCP_MISS/200 11790 CONNECT js.dmtry.com:443 - DIRECT/184.170.128.58 - 1426881749.077103 xx.70 TCP_MISS/200 2228 POST http://sd.symcd.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881749.752 29 xx.70 TCP_MISS/200 2228 POST http://sd.symcd.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881750.098 21 xx.70 TCP_MISS/200 393 GET http://ping.chartbeat.net/ping? - DIRECT/23.21.149.132 image/gif 1426881750.731 62443 xx.70 TCP_MISS/200 122185 CONNECT www.gstatic.com:443 - DIRECT/206.126.112.185 - 1426881751.476 xx.70 TCP_MISS/200 4191 CONNECT secure.footprint.net:443 - DIRECT/8.12.219.125 - 1426881752.215505 xxx.70 TCP_MISS/200 459 CONNECT secure.footprint.net:443 - DIRECT/8.12.219.125 - 1426881753.005 1091 xx.70 TCP_MISS/200 5303 CONNECT av.beap.bc.yahoo.com:443 - DIRECT/76.13.28.21 - 1426881762.280 12994 188.161.107.70 TCP_MISS/200 5502 CONNECT d.adgear.com:443 - DIRECT/205.204.71.140 - 1426881764.215 16497 xx70 TCP_MISS/200 9832 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881764.216 16453 x.70 TCP_MISS/200 6534 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881765.044 18777 x.70 TCP_MISS/200 11132 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881765.681 15193 xx.107.70 TCP_MISS/200 6225 CONNECT comet.yahoo.com:443 - DIRECT/72.30.196.161 - 1426881765.691 14149 xx.107.70 TCP_MISS/200 832 CONNECT comet.yahoo.com:443 - DIRECT/72.30.196.161 - 1426881766.046 116219 xx.70 TCP_MISS/200 529 CONNECT d31qbv1cthcecs.cloudfront.net:443 - DIRECT/54.230.16.189 - 1426881766.714296 xx.70 TCP_MISS/200 2228 POST http://ocsp.verisign.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881770.049 117609 xx107.70 TCP_MISS/200 711 CONNECT d5nxst8fruw4z.cloudfront.net:443 - DIRECT/54.240.160.97 - 1426881780.403 67786 xx.70 TCP_MISS/200 852 CONNECT www.yahoo.com:443 - DIRECT/98.139.180.149 - 1426881781.519353 xx.70 TCP_MISS/200 571 GET http://data.cnn.com/jsonp/breaking_news/domestic.json? - DIRECT/157.166.249.67 application/javascript 1426881782.057 118788 xx.70 TCP_MISS/200 19972 CONNECT cdn2sitescout-a.akamaihd.net:443 - DIRECT/23.15.4.18 - 1426881790.558 71055 xx TCP_MISS/200 26805 CONNECT s.yimg.com:443 - DIRECT/206.190.56.191 - 1426881814.445 100461 xx TCP_MISS/200 124129 CONNECT ca.yahoo.com:443 - DIRECT/98.139.180.149 - 1426881818.437 70709 xx70 TCP_MISS/200 8503 CONNECT beap-bc.yahoo.com:443 - DIRECT/206.190.57.60 - regards -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, March 20, 2015 9:56 AM To: snakeeyes Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] i want to block images with size more than 40 KB On 21/03/2015 12:05 p.m., snakeeyes wrote: Hi amos , thanks for reply I have tried @ top of squidf.conf acl images rep_header Content-Type ^image/ ^x-image/ acl small rep_header Content-Length ^[1234]?[0-9]$ http_reply_access deny small images are you sure that its blocking images with size 40KB Sorry I slightly mis-read your request. What I gave is blocking images *smaller* than 40 bytes (see what I mean about cut-n-paste without understanding?). To block images *over* 40 bytes change that to: http_reply_access deny !small images also I didn’t see extensions like jpg or bmp or similar like that ??!! Because HTTP does not transfer files. It transfers data. Sometimes data can *also* be found inside files, sometimes not. HTTP Content-Type header describes what format the data is. In this case you requested images in general, so thats the pattern I gave. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] load balancing and site failover
Was not sure if bugzilla was used for mailing list issues. If you would like me to open one, I will but it looks like the list is working again. On Mar 24, 2015 2:25 PM, Brendan Kearney bpk...@gmail.com wrote: On Tue, 2015-03-24 at 10:18 -0400, Brendan Kearney wrote: while load balancing is not a requirement in a proxy environment, it does afford a great deal of functionality, scaling and fault tolerance in one. several if not many on this list probably employ them for their proxies and likely other technologies, but they are not all created equal. i recently looked to see if a specific feature was in HAProxy. i was looking to see if HAProxy could reply to a new connection with a RST packet if no pool member was available. the idea behind this is, if all of the proxies are not passing the service check and are marked down by the load balancer, the reply of a RST in the TCP handshake (i.e. SYN - RST, not SYN - SYN/ACK - ACK) tells the browser to failover to the next proxy assigned by the PAC file. where i work, we have this configuration working. the load balancers are configured with the option to send a reset when no proxy is available in the pool. the PAC file assigns all 4 of the proxy VIPs in a specific order based on which proxy VIP is assigned as the primary. In every case, if the primary VIP does not have an available pool member, the browser fails over to the next in the list. failover would happen again, if the secondary VIP replies with a RST during the connection establishing. the process repeats until a TCP connection establishes or all proxies assigned have been exhausted. the browser will use the proxy VIP that it successfully connects to, for the duration of the session. once the browser is closed and reopened, the evaluation of the PAC file occurs again, and the process starts anew. plug-ins such as Proxy Selector are the exception to this, and can be used to reevaluate a PAC file by selecting it for use. we have used this configuration several times, when we found an ISP link was flapping or some other issue more global in nature than just the proxies was affecting our egress and internet access. i can attest to the solution as working and elegantly handling site wide failures. being that the solutions where i work are proprietary commercial products, i wanted to find an open source product that does this. i have been a long time user of HAProxy, and have recommended it for others here, but sadly they cannot perform this function. per their mailing list, they use the network stack of the OS for connection establishment and cannot cause a RST to be sent to the client during a TCP handshake if no pool member is available. they suggested an external helper that manipulates IPTables rules based on a pool member being available. they do not feel that a feature like this belongs in a layer 4/7 reverse proxy application. my search for a load balancer solution went through ipvsadm, balance and haproxy before i selected haproxy. haproxy was more feature rich than balance, and easier to implement than ipvsadm. do any other list members have a need for such a feature from their load balancers? do any other list members have site failover solutions that have been tested or used and would consider sharing their design and/or pain points? i am not looking for secret sauce or confidential info, but more high level architecture decisions and such. trying to send this again, as it was rejected previously. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] i want to block images with size more than 40 KB
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Don't think so. Probably you'll have to write your own helper to handle dynamic content. Or use the content adaptaion feature. 25.03.15 11:34, snakeeyes пишет: BTW can squid block dynamically loaded images, and ajax request which return images. I want that on yahoo and google Is that possible ? = , thanks it seems okay for normal http sites I want to ask , is there a trick can we do it so that it be applied to google yahoo images search ?? Here is wt I see in yahoo logs , just small logs and all images are allowed and not blocked = 1426881748.078 70740 x.70 TCP_MISS/200 11790 CONNECT js.dmtry.com:443 - DIRECT/184.170.128.58 - 1426881749.077103 xx.70 TCP_MISS/200 2228 POST http://sd.symcd.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881749.752 29 xx.70 TCP_MISS/200 2228 POST http://sd.symcd.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881750.098 21 xx.70 TCP_MISS/200 393 GET http://ping.chartbeat.net/ping? - DIRECT/23.21.149.132 image/gif 1426881750.731 62443 xx.70 TCP_MISS/200 122185 CONNECT www.gstatic.com:443 - DIRECT/206.126.112.185 - 1426881751.476 xx.70 TCP_MISS/200 4191 CONNECT secure.footprint.net:443 - DIRECT/8.12.219.125 - 1426881752.215505 xxx.70 TCP_MISS/200 459 CONNECT secure.footprint.net:443 - DIRECT/8.12.219.125 - 1426881753.005 1091 xx.70 TCP_MISS/200 5303 CONNECT av.beap.bc.yahoo.com:443 - DIRECT/76.13.28.21 - 1426881762.280 12994 188.161.107.70 TCP_MISS/200 5502 CONNECT d.adgear.com:443 - DIRECT/205.204.71.140 - 1426881764.215 16497 xx70 TCP_MISS/200 9832 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881764.216 16453 x.70 TCP_MISS/200 6534 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881765.044 18777 x.70 TCP_MISS/200 11132 CONNECT ads.yahoo.com:443 - DIRECT/98.139.225.43 - 1426881765.681 15193 xx.107.70 TCP_MISS/200 6225 CONNECT comet.yahoo.com:443 - DIRECT/72.30.196.161 - 1426881765.691 14149 xx.107.70 TCP_MISS/200 832 CONNECT comet.yahoo.com:443 - DIRECT/72.30.196.161 - 1426881766.046 116219 xx.70 TCP_MISS/200 529 CONNECT d31qbv1cthcecs.cloudfront.net:443 - DIRECT/54.230.16.189 - 1426881766.714296 xx.70 TCP_MISS/200 2228 POST http://ocsp.verisign.com/ - DIRECT/23.9.123.27 application/ocsp-response 1426881770.049 117609 xx107.70 TCP_MISS/200 711 CONNECT d5nxst8fruw4z.cloudfront.net:443 - DIRECT/54.240.160.97 - 1426881780.403 67786 xx.70 TCP_MISS/200 852 CONNECT www.yahoo.com:443 - DIRECT/98.139.180.149 - 1426881781.519 353 xx.70 TCP_MISS/200 571 GET http://data.cnn.com/jsonp/breaking_news/domestic.json? - DIRECT/157.166.249.67 application/javascript 1426881782.057 118788 xx.70 TCP_MISS/200 19972 CONNECT cdn2sitescout-a.akamaihd.net:443 - DIRECT/23.15.4.18 - 1426881790.558 71055 xx TCP_MISS/200 26805 CONNECT s.yimg.com:443 - DIRECT/206.190.56.191 - 1426881814.445 100461 xx TCP_MISS/200 124129 CONNECT ca.yahoo.com:443 - DIRECT/98.139.180.149 - 1426881818.437 70709 xx70 TCP_MISS/200 8503 CONNECT beap-bc.yahoo.com:443 - DIRECT/206.190.57.60 - regards -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, March 20, 2015 9:56 AM To: snakeeyes Cc: squid-users@lists.squid-cache.org Subject: Re: [squid-users] i want to block images with size more than 40 KB On 21/03/2015 12:05 p.m., snakeeyes wrote: Hi amos , thanks for reply I have tried @ top of squidf.conf acl images rep_header Content-Type ^image/ ^x-image/ acl small rep_header Content-Length ^[1234]?[0-9]$ http_reply_access deny small images are you sure that its blocking images with size 40KB Sorry I slightly mis-read your request. What I gave is blocking images *smaller* than 40 bytes (see what I mean about cut-n-paste without understanding?). To block images *over* 40 bytes change that to: http_reply_access deny !small images also I didn’t see extensions like jpg or bmp or similar like that ??!! Because HTTP does not transfer files. It transfers data. Sometimes data can *also* be found inside files, sometimes not. HTTP Content-Type header describes what format the data is. In this case you requested images in general, so thats the pattern I gave. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVEc/cAAoJENNXIZxhPexGXQoH/3Av/ylPj06Pjdd75yqC/Z9n vDhkFqIQcfxC0ErLcRk1Zp2tNJi8LFFDS4qNys9dlj2A5yloQ5ymXZA39ehJMFgo s4G6gXWM+KvXaaQ/W5AZodEW2Q3NrOlyhKn58VyHEud4KIg7a8tt7RKywxgY7+Ff sTEg/FqvWawhkCCmO8WhSzauD9if30vdwjXXLh3BsWD2J3JmC9pylqBn3vGkANMF Zj+ycq6EkZykPfTSD+wIKw+XovDp3dNFtF7BEyjnCVsJJVW7aJqDMx0fl1N7JAhV qy9zuIBvop3s4aEZhCufn6+uVIFiaJ2hQ02OyIeAOlBX+moUT5/3We4SrOPWB1M= =cM6V -END PGP SIGNATURE- ___ squid-users