Re: [squid-users] acl order
Hi Riccardo Castellani a écrit : If create these entries in squid.conf: acl wwwebay dstdomain www.ebay.com acl wwwcons dstdomain demo.consortium.com acl emmepitre url_regex ^http://.*\.mp3 acl msnmessq req_mime_type -i ^application/x-msn-messenger$ acl msnmessp rep_mime_type -i ^application/x-msn-messenger$ acl audiosp rep_mime_type -i ^audio/wav$ acl videosp req_mime_type -i ^application/x-shockwave-flash$ acl streaming_mediap rep_mime_type ^video/x-ms-asf acl streaming_mediap rep_mime_type ^audio/mpeg acl streaming_mediap rep_mime_type ^audio/x-scpls acl streaming_mediap rep_mime_type ^video/x-flv http_access allow user2 http_access allow user3 http_access deny msnmessp http_access deny audiosp http_access deny videosp http_access deny streaming_mediap those won't do anything, use http_reply_access instead of http_access, to deal with mime-types http_access allow user1 wwwebay http_access allow user1 wwwcons http_access deny wwwebay http_access allow user4 ... ... ... http_access allow user100 http_access deny all # http_reply_access allow user2 http_reply_access allow user3 http_reply_access deny msnmessp http_reply_access deny audiosp http_reply_access deny videosp http_reply_access deny streaming_mediap http_reply_access allow all In this case, I'd like: user2+3 can access to everything. User1 can access only to www.ebay.com User4 to user 100 can access everything except msnmessp, audiosp, videosp, streaming_mediap, wwwebay, wwwcons. What's order on which rules are scanned from squid ? from top to bottom What do you think about my schema criteria ? - your audio and video filtering are not exaustive, I prefer using : acl nosoundnovid rep_mime_type audio video - are you sure that you need to filter requests instead of reply here ? acl msnmessq req_mime_type -i ^application/x-msn-messenger$ acl videosp req_mime_type -i ^application/x-shockwave-flash$ -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
[squid-users] Squid3 and calamarisv3
Hi all, I've just installed calamaris, and configured generate html-frame with graph stats. It works well for the daily part. My weekly and monthly folders are empty. My question is how does it work to populate those, as there only is a cron.daily script. Should I write cron.weekly and cron.monthly script, or should I wait a week/month to have them populated? Maybe this question should have been asked to the calamaris list, but If you have the knowledge. thanks -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] Squid3 and calamarisv3
Ok found the answer weekly reports are generated on sunday (IE dayofweek=0) and monthly reports on the first day of month (IE dayofmonth=1) sorry for the noise Erwann PENCREACH a écrit : Hi all, I've just installed calamaris, and configured generate html-frame with graph stats. It works well for the daily part. My weekly and monthly folders are empty. My question is how does it work to populate those, as there only is a cron.daily script. Should I write cron.weekly and cron.monthly script, or should I wait a week/month to have them populated? Maybe this question should have been asked to the calamaris list, but If you have the knowledge. thanks -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] howto block audio/video streaming
Not a good Idea, for instance if you block avi You will block all avi file but also all site with url containing navigon, aviation . Gopinath Achari a écrit : simply block based on extentions of files using url_pathregex On Tuesday 21 July 2009 16:13, Muhammad Sharfuddin wrote: Squid 2.7 STABLE 5 how can I block audio/video streaming via squid ? I have blocked a lot many streaming wesbites(like youtube) but I want to block all of them.. and I think the best method is to block all types of audio/video streaming rather then blocking websites(that are increasing day-by-day) Regards -ms -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] howto block audio/video streaming
Muhammad Sharfuddin a écrit : On Tue, 2009-07-21 at 22:53 +1200, Amos Jeffries wrote: Muhammad Sharfuddin wrote: Squid 2.7 STABLE 5 how can I block audio/video streaming via squid ? I have blocked a lot many streaming wesbites(like youtube) but I want to block all of them.. and I think the best method is to block all types of audio/video streaming rather then blocking websites(that are increasing day-by-day) Regards -ms http://wiki.squid-cache.org/ConfigExamples Amos nice url, but there I did not found any thing to block audio/video streaming. Please help Regards -ms -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr Here is what I've done on my test squid conf which hasn't been validated yet acl novid rep_mime_type audio video http_reply_access deny novid -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] i need a little help
Hi without any parts of config file it would be difficult to help you but if I understand correctly what you explained, the problem is not in squid config, but in you're squid server routing table. If your squid server uses your Internet gateway (2) instead of (1) it's probably because your routing table is telling that to access the net you have to go through gateway (2) hope my english is correct :D ro...@hyperpic.ro a écrit : Hi! I want to use SQUID in proxy mode for administration of internet access. I installed SQUID 2.7 on Win 2003 server. I have 2 internet connections: 1. LAN connected to isp with static IP: 82.77.50.206/255.0.0.0 and 2. LAN connected to local area network with instant internet acces. The local ip is 192.196.3.38 gateway 192.168.3.254 I want to use the proxy server to limit the users internet acces, to be accessible only on 1 LAN accessible ISP. How i can do this? I tried to modify the config.conf file, i putted the proxy server setting in the browser connections tab, but my browser show me the acces on 2. ISP, not on 1. Thank's for help and sorry for my bad english. Robert -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] i need a little help
Please try to reply to the list, acl lan src 82.77.50.206/255.0.0.0 192.168.3.0/24 Are you sure of this? That's a very large lan, and 82.77.50.206/255.0.0.0 is a public range of IP.. badisp and badisp2 are addresses already declared in lan, so your deny acl will never match. Don't forget that acls are applied from top to bottom until one matches (when a match is done none of the following acls will be checked) this is useless in your actual config : acl badisp src 192.168.3.254 http_acces deny badisp acl badisp2 src 192.168.3.38 http_acces deny badisp2 concerning routing table, it depends on your operating system running linux / unix, you should look at /sbin/route -n man route will help you for the usage of this command (adding revoving etc...) running windows route print to watch your routing table route help will help you ro...@hyperpic.ro a écrit : Thank's for reply! The config file is the default with little changes: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.0/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl lan src 82.77.50.206/255.0.0.0 192.168.3.0/24 http_access allow lan acl badisp src 192.168.3.254 http_acces deny badisp acl badisp2 src 192.168.3.38 http_acces deny badisp2 acl MYLAN src 192.168.3.1-192.168.3.253/255.255.255.0 How i can config the server routing table? the most important for me, the users connected with proxy i want to use the link1 for internet access (82.77.50.206) not the instant lan acces... Any idea? Robert Hi without any parts of config file it would be difficult to help you but if I understand correctly what you explained, the problem is not in squid config, but in you're squid server routing table. If your squid server uses your Internet gateway (2) instead of (1) it's probably because your routing table is telling that to access the net you have to go through gateway (2) hope my english is correct :D ro...@hyperpic.ro a écrit : Hi! I want to use SQUID in proxy mode for administration of internet access. I installed SQUID 2.7 on Win 2003 server. I have 2 internet connections: 1. LAN connected to isp with static IP: 82.77.50.206/255.0.0.0 and 2. LAN connected to local area network with instant internet acces. The local ip is 192.196.3.38 gateway 192.168.3.254 I want to use the proxy server to limit the users internet acces, to be accessible only on 1 LAN accessible ISP. How i can do this? I tried to modify the config.conf file, i putted the proxy server setting in the browser connections tab, but my browser show me the acces on 2. ISP, not on 1. Thank's for help and sorry for my bad english. Robert -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] Help Please : NT Domain name stripping in squid_ldap_group
Hi, there is no access rule below You need at least one to grant or deny access for instance this is one of mine : external_acl_type loggeduser %DST %SRC /squid_script_path/loggeduser_acl.sh acl isok external loggeduser http_access allow isok ### where /squid_script_path/loggeduser_acl.sh get uid of the user logged on %SRC (ask samba to tell), check acces type to the internet defined in a ldap directory then return OK or KO depending on the url and the effective rights Clayton York a écrit : Hi All, I am a newbie to Linux and squid and require some assistance please. I am running a server on CENTOS release 5.2 (Final), and have configured squid (2.6.STABLE21-3) for ldap group authentication with Active Directory. I have seen in the man page for the squid_ldap_group there is an -S option to strip the NT domain name from the username. I have added the -S to our squid.conf file, squid_ldap_group section however this does not seem to strip the domain name as from the access.log file I can see that squid still passes the domain\username through to AD which then fails. Please find my squid authentication configuration below. auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b dc=domnet,dc=bbd,dc=co,dc=za -D cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za -w password -f sAMAccountName=%s -h 10.3.1.216 auth_param basic children 5 auth_param basic realm Your Organisation Name auth_param basic credentialsttl 1 hour external_acl_type InetGroup ttl=60 %LOGIN /usr/lib64/squid/squid_ldap_group -R -b dc=domnet,dc=bbd,dc=co,dc=za -D cn=administrator,cn=Users,dc=domnet,dc=bbd,dc=co,dc=za -w password -f ((objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,ou=SquidUsers,dc=bbdnet,dc=bbd,dc=co,dc=za)) -S -h 10.3.1.216 acl InetAccess external InetGroup SquidUsersAllow Please if anyone has any insight into what I might be missing please let me know. Thank you, Clayton York -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
[squid-users] blocking binary download
Hi all, I'm trying to write rules that will block binary downloads what I've writen : acl contenttype1 req_mime_type video audio application/octet-stream \ application/x-msdownload application/exe \ application/x-exe \ application/dos-exe vms/exe application/x-winexe \ application/msdos-windows application/x-msdos-program \ binary request_header_access Content-Type deny contenttype1 I checked it with nvidia drivers download, but this rule doesn't work. $ sudo tcpflow -vvv -c -i bond0 src X.X.X.X [...] tcpflow[32412]: 010.012.011.010.03809-010.012.003.001.03128: new flow 010.012.011.010.03809-010.012.003.001.03128: GET http://us.download.nvidia.com/Windows/186.18/186.18_desktop_winxp_32bit_english_whql.exe HTTP/1.1 Host: us.download.nvidia.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.10; .NET CLR 2.0.50727; ffco7) Gecko/2009042316 Firefox/3.0.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=url=http://us.download.nvidia.com/Windows/186.18/186.18_desktop_winxp_32bit_english_whql.exe Cookie: s_cc=true; s_nr=1247055367647; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|4A548C4E425B-A3A08131672[CE] this is the last tcpflow block I obtain, just before the download box pops up at screen (asking me if I want to run or download the binary) I'm using squid 3 + squidGuard, Is there anyway to make it work properly ? My predecessor wrote rules based on url_regex to do that job on the former proxy , but this filtering is too large (no url containing exe at any place is granted) thank's for your help (and be tolerant with my poor english level) -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] blocking binary download
I'm quite stupid, I was already correcting this, when I saw your answer. the working rule is the following : acl contenttypes rep_mime_type video audio application/octet-stream \ application/x-msdownload application/exe \ application/x-exe \ application/dos-exe vms/exe application/x-winexe \ application/msdos-windows application/x-msdos-program \ binary http_reply_access deny contenttypes changes : reP_mime_type instead of reQ_mime_type in the acl and http_reply_acces instead of request_header_access rule. Adrian Chadd a écrit : req_mime_type won't help you if its what I remember it being ,a -request- mime type. You need to block on the -reply- mime type. adrian 2009/7/8 Erwann PENCREACH erwann.pencre...@ch-chaumont.fr: Hi all, I'm trying to write rules that will block binary downloads what I've writen : acl contenttype1 req_mime_type video audio application/octet-stream \ application/x-msdownload application/exe \ application/x-exe \ application/dos-exe vms/exe application/x-winexe \ application/msdos-windows application/x-msdos-program \ binary request_header_access Content-Type deny contenttype1 I checked it with nvidia drivers download, but this rule doesn't work. $ sudo tcpflow -vvv -c -i bond0 src X.X.X.X [...] tcpflow[32412]: 010.012.011.010.03809-010.012.003.001.03128: new flow 010.012.011.010.03809-010.012.003.001.03128: GET http://us.download.nvidia.com/Windows/186.18/186.18_desktop_winxp_32bit_english_whql.exe HTTP/1.1 Host: us.download.nvidia.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.10; .NET CLR 2.0.50727; ffco7) Gecko/2009042316 Firefox/3.0.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=url=http://us.download.nvidia.com/Windows/186.18/186.18_desktop_winxp_32bit_english_whql.exe Cookie: s_cc=true; s_nr=1247055367647; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|4A548C4E425B-A3A08131672[CE] this is the last tcpflow block I obtain, just before the download box pops up at screen (asking me if I want to run or download the binary) I'm using squid 3 + squidGuard, Is there anyway to make it work properly ? My predecessor wrote rules based on url_regex to do that job on the former proxy , but this filtering is too large (no url containing exe at any place is granted) thank's for your help (and be tolerant with my poor english level) -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
[squid-users] squid 3 acl browser
Hi all, I'm configuring a squid 3 proxy and I want, to deny access to all unwanted browsers but that is not working. here are my current acl : acl all_src src 0.0.0.0/0.0.0.0 acl nodst url_regex ^.*sex.*$ ^.*porn.*$ ^.*hack.*$ ^.*crack.*$ ^.*drug.*$ acl nodst1 url_regex -i \.bat$ \.cmd$ \.exe$ \.pif$ \.vbs$ \.ade$ \.adp$ acl nodst2 url_regex -i \.bas$ \.chm$ \.cpl$ \.eml$ \.hlp$ \.hta$ \.inf$ acl nodst3 url_regex -i \.ins$ \.isp$ \.jse$ \.lnk$ \.msc$ \.msi$ \.msp$ acl nodst4 url_regex -i \.mst$ \.reg$ \.sct$ \.shs$ \.vb$ \.vbe$ \.vbs$ acl nodst5 url_regex -i \.wav$ \.avi$ \.ogg$ \.wma$ \.wme$ \.wsc$ \.wsf$ acl nodst6 url_regex -i \.wsh$ \.sh$ \.mp3$ \.scr$ \.cab$ \.zip$ \.tar$ acl nodst7 url_regex -i \.gz$ \.bz2$ \.xpi$ \.wmv$ \.mpeg$ acl contenttype1 req_mime_type ^.*video.*$ ^.*audio.*$ http_access deny all_src nodst http_access deny all_src nodst1 http_access deny all_src nodst2 http_access deny all_src nodst3 http_access deny all_src nodst4 http_access deny all_src nodst5 http_access deny all_src nodst6 http_access deny all_src nodst7 request_header_access Content-Type deny contenttype1 acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$ http_access deny !checkua external_acl_type authuser %DST %SRC [a secret path]/getloggeduser.sh acl isok external authuser http_access allow isok http_access deny all getloggeduser.sh is retrieving the user logged on the host, and checking his access right (full or restricted) against ldap ; in case of full rights or restricted rights (if dst is allowed) it return OK user=USERNAME. If user has no rights or if dst is not allowed, it return err user=USERNAME. it also log datetime username rights, url and if access is granted or not. In case I'm using MSIE, I shouldn't have my access granted, but I have, and getloggeduser.sh generate a log line. what's wrong ? thanks for your help In case It can change something, I'm using squid3 on debian lenny (arch amd64) -- Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
Ok, thanks, I'll try and tell you Ralf Hildebrandt a écrit : * Erwann PENCREACH erwann.pencre...@ch-chaumont.fr: Hi all, I'm configuring a squid 3 proxy and I want, to deny access to all unwanted browsers but that is not working. here are my current acl : You REALLY need to read on regular expressions acl nodst url_regex ^.*sex.*$ ^.*porn.*$ ^.*hack.*$ ^.*crack.*$ ^.*drug.*$ Or shorter: acl nodst url_regex sex porn hack crack drug Note that you won't be able to access http://www.sextant.fr/ with that. Which is a bit problematix. acl nodst1 url_regex -i \.bat$ \.cmd$ \.exe$ \.pif$ \.vbs$ \.ade$ \.adp$ acl nodst2 url_regex -i \.bas$ \.chm$ \.cpl$ \.eml$ \.hlp$ \.hta$ \.inf$ acl nodst3 url_regex -i \.ins$ \.isp$ \.jse$ \.lnk$ \.msc$ \.msi$ \.msp$ acl nodst4 url_regex -i \.mst$ \.reg$ \.sct$ \.shs$ \.vb$ \.vbe$ \.vbs$ acl nodst5 url_regex -i \.wav$ \.avi$ \.ogg$ \.wma$ \.wme$ \.wsc$ \.wsf$ acl nodst6 url_regex -i \.wsh$ \.sh$ \.mp3$ \.scr$ \.cab$ \.zip$ \.tar$ acl nodst7 url_regex -i \.gz$ \.bz2$ \.xpi$ \.wmv$ \.mpeg$ acl nodst1 url_regex -i \.(bat|cmd|exe|pif|vbs|ade|adp)$ etc. acl contenttype1 req_mime_type ^.*video.*$ ^.*audio.*$ acl contenttype1 req_mime_type video audio acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$ acl checkua browser -i Mozilla/ ^Keyvelop$ ^ClamWin/ Maybe it would be more useful to add DansGuardian to your setup. -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
ok, I made changes nodst and contenttype acl works fine (I'll look later for squidguard and dansguardian) browser filtering doesn't work at all external_acl works fine I don't understand what I'm doing wrong with User-agent filtering something strange I wrote a script that I called with an external acl, this script read one parameter : %{headers} and log it in a file the only thing I got in the file is : -, this behavior is the same with Firefox Iceweasel or MSIE 6 Is there an other way to filter browsers ? thanks for all Ralf Hildebrandt a écrit : * Erwann PENCREACH erwann.pencre...@ch-chaumont.fr: Hi all, I'm configuring a squid 3 proxy and I want, to deny access to all unwanted browsers but that is not working. here are my current acl : You REALLY need to read on regular expressions acl nodst url_regex ^.*sex.*$ ^.*porn.*$ ^.*hack.*$ ^.*crack.*$ ^.*drug.*$ Or shorter: acl nodst url_regex sex porn hack crack drug Note that you won't be able to access http://www.sextant.fr/ with that. Which is a bit problematix. acl nodst1 url_regex -i \.bat$ \.cmd$ \.exe$ \.pif$ \.vbs$ \.ade$ \.adp$ acl nodst2 url_regex -i \.bas$ \.chm$ \.cpl$ \.eml$ \.hlp$ \.hta$ \.inf$ acl nodst3 url_regex -i \.ins$ \.isp$ \.jse$ \.lnk$ \.msc$ \.msi$ \.msp$ acl nodst4 url_regex -i \.mst$ \.reg$ \.sct$ \.shs$ \.vb$ \.vbe$ \.vbs$ acl nodst5 url_regex -i \.wav$ \.avi$ \.ogg$ \.wma$ \.wme$ \.wsc$ \.wsf$ acl nodst6 url_regex -i \.wsh$ \.sh$ \.mp3$ \.scr$ \.cab$ \.zip$ \.tar$ acl nodst7 url_regex -i \.gz$ \.bz2$ \.xpi$ \.wmv$ \.mpeg$ acl nodst1 url_regex -i \.(bat|cmd|exe|pif|vbs|ade|adp)$ etc. acl contenttype1 req_mime_type ^.*video.*$ ^.*audio.*$ acl contenttype1 req_mime_type video audio acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$ acl checkua browser -i Mozilla/ ^Keyvelop$ ^ClamWin/ Maybe it would be more useful to add DansGuardian to your setup. -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
Ralf Hildebrandt a écrit : * Erwann PENCREACH erwann.pencre...@ch-chaumont.fr: acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$ http_access deny !checkua ... In case I'm using MSIE, I shouldn't have my access granted, but I have, and getloggeduser.sh generate a log line. what's wrong ? What useragent does MSIE use? Here it uses: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) which matches ^.*Mozilla/.*$ (or shorter : Mozilla/) MSIE is using something including MSIE, but in fact I know that the only User-agents allowed to access the net are Mozilla Keyvelop and clamwin, that's why I've chosen to ban all UA but those 3 -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
Ralf Hildebrandt a écrit : * Erwann PENCREACH erwann.pencre...@ch-chaumont.fr: ok, I made changes nodst and contenttype acl works fine (I'll look later for squidguard and dansguardian) browser filtering doesn't work at all external_acl works fine I don't understand what I'm doing wrong with User-agent filtering But I already told you. MSIE says it's Mozilla. Your regular expression is wrong. You're right I've just checked both User agents : # MSIE: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1 acl becomes : acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/ -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
Amos Jeffries a écrit : Erwann PENCREACH wrote: Ralf Hildebrandt a écrit : * Erwann PENCREACH erwann.pencre...@ch-chaumont.fr: ok, I made changes nodst and contenttype acl works fine (I'll look later for squidguard and dansguardian) browser filtering doesn't work at all external_acl works fine I don't understand what I'm doing wrong with User-agent filtering But I already told you. MSIE says it's Mozilla. Your regular expression is wrong. You're right I've just checked both User agents : # MSIE: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1 acl becomes : acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/ Mozilla and Gecko are both engines that generate HTTP requests and parse HTTP replies on demand. Along with various other HTTP related activities. They are both used in a vast number of browsers and browser clones and fake agents. I would guess you actually want the Firefox branding interface for Gecko. Commonly known as the Mozilla Firefox web browser. User-Agent: is easily forged, so don't hang your security on it please. It's best to use it only in deny (ie for unknowns and non-matching) and leave the allow permissions to more strict ACL types. Amos you're right, that's why I deny all but those three UA firefox, isn't the solution, cause the debian port is called Iceweasel filtering on gecko allows Firefox, Thunderbird, Iceweasel and Icedove to go through this acl, and let the following acl do the rest of filtering. All the security, isn't done by the proxy. Our users aren't able to install any software on the computers so chance to have an other browser is minimal -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard