Re: [squid-users] squid 3 acl browser
* Erwann PENCREACH : > Hi all, > > I'm configuring a squid 3 proxy and I want, to deny access to all > unwanted browsers but that is not working. > > here are my current acl : You REALLY need to read on regular expressions > acl nodst url_regex ^.*sex.*$ ^.*porn.*$ ^.*hack.*$ ^.*crack.*$ ^.*drug.*$ Or shorter: acl nodst url_regex sex porn hack crack drug Note that you won't be able to access http://www.sextant.fr/ with that. Which is a bit problematix. > acl nodst1 url_regex -i \.bat$ \.cmd$ \.exe$ \.pif$ \.vbs$ \.ade$ \.adp$ > acl nodst2 url_regex -i \.bas$ \.chm$ \.cpl$ \.eml$ \.hlp$ \.hta$ \.inf$ > acl nodst3 url_regex -i \.ins$ \.isp$ \.jse$ \.lnk$ \.msc$ \.msi$ \.msp$ > acl nodst4 url_regex -i \.mst$ \.reg$ \.sct$ \.shs$ \.vb$ \.vbe$ \.vbs$ > acl nodst5 url_regex -i \.wav$ \.avi$ \.ogg$ \.wma$ \.wme$ \.wsc$ \.wsf$ > acl nodst6 url_regex -i \.wsh$ \.sh$ \.mp3$ \.scr$ \.cab$ \.zip$ \.tar$ > acl nodst7 url_regex -i \.gz$ \.bz2$ \.xpi$ \.wmv$ \.mpeg$ acl nodst1 url_regex -i \.(bat|cmd|exe|pif|vbs|ade|adp)$ etc. > acl contenttype1 req_mime_type ^.*video.*$ ^.*audio.*$ acl contenttype1 req_mime_type video audio > acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$ acl checkua browser -i Mozilla/ ^Keyvelop$ ^ClamWin/ Maybe it would be more useful to add DansGuardian to your setup.
Re: [squid-users] squid 3 acl browser
* Erwann PENCREACH : > acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$ > http_access deny !checkua ... > In case I'm using MSIE, I shouldn't have my access granted, but I have, > and getloggeduser.sh generate a log line. > > what's wrong ? What useragent does MSIE use? Here it uses: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" which matches "^.*Mozilla/.*$" (or shorter : "Mozilla/")
Re: [squid-users] squid 3 acl browser
Ok, thanks, I'll try and tell you Ralf Hildebrandt a écrit : * Erwann PENCREACH : Hi all, I'm configuring a squid 3 proxy and I want, to deny access to all unwanted browsers but that is not working. here are my current acl : You REALLY need to read on regular expressions acl nodst url_regex ^.*sex.*$ ^.*porn.*$ ^.*hack.*$ ^.*crack.*$ ^.*drug.*$ Or shorter: acl nodst url_regex sex porn hack crack drug Note that you won't be able to access http://www.sextant.fr/ with that. Which is a bit problematix. acl nodst1 url_regex -i \.bat$ \.cmd$ \.exe$ \.pif$ \.vbs$ \.ade$ \.adp$ acl nodst2 url_regex -i \.bas$ \.chm$ \.cpl$ \.eml$ \.hlp$ \.hta$ \.inf$ acl nodst3 url_regex -i \.ins$ \.isp$ \.jse$ \.lnk$ \.msc$ \.msi$ \.msp$ acl nodst4 url_regex -i \.mst$ \.reg$ \.sct$ \.shs$ \.vb$ \.vbe$ \.vbs$ acl nodst5 url_regex -i \.wav$ \.avi$ \.ogg$ \.wma$ \.wme$ \.wsc$ \.wsf$ acl nodst6 url_regex -i \.wsh$ \.sh$ \.mp3$ \.scr$ \.cab$ \.zip$ \.tar$ acl nodst7 url_regex -i \.gz$ \.bz2$ \.xpi$ \.wmv$ \.mpeg$ acl nodst1 url_regex -i \.(bat|cmd|exe|pif|vbs|ade|adp)$ etc. acl contenttype1 req_mime_type ^.*video.*$ ^.*audio.*$ acl contenttype1 req_mime_type video audio acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$ acl checkua browser -i Mozilla/ ^Keyvelop$ ^ClamWin/ Maybe it would be more useful to add DansGuardian to your setup. -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
ok, I made changes
nodst and contenttype acl works fine (I'll look later for squidguard and
dansguardian)
browser filtering doesn't work at all
external_acl works fine
I don't understand what I'm doing wrong with User-agent filtering
something strange I wrote a script that I called with an external acl,
this script read one parameter : %{headers} and log it in a file
the only thing I got in the file is : "-", this behavior is the same
with Firefox Iceweasel or MSIE 6
Is there an other way to filter browsers ?
thanks for all
Ralf Hildebrandt a écrit :
* Erwann PENCREACH :
Hi all,
I'm configuring a squid 3 proxy and I want, to deny access to all
unwanted browsers but that is not working.
here are my current acl :
You REALLY need to read on regular expressions
acl nodst url_regex ^.*sex.*$ ^.*porn.*$ ^.*hack.*$ ^.*crack.*$ ^.*drug.*$
Or shorter:
acl nodst url_regex sex porn hack crack drug
Note that you won't be able to access
http://www.sextant.fr/ with that. Which is a bit problematix.
acl nodst1 url_regex -i \.bat$ \.cmd$ \.exe$ \.pif$ \.vbs$ \.ade$ \.adp$
acl nodst2 url_regex -i \.bas$ \.chm$ \.cpl$ \.eml$ \.hlp$ \.hta$ \.inf$
acl nodst3 url_regex -i \.ins$ \.isp$ \.jse$ \.lnk$ \.msc$ \.msi$ \.msp$
acl nodst4 url_regex -i \.mst$ \.reg$ \.sct$ \.shs$ \.vb$ \.vbe$ \.vbs$
acl nodst5 url_regex -i \.wav$ \.avi$ \.ogg$ \.wma$ \.wme$ \.wsc$ \.wsf$
acl nodst6 url_regex -i \.wsh$ \.sh$ \.mp3$ \.scr$ \.cab$ \.zip$ \.tar$
acl nodst7 url_regex -i \.gz$ \.bz2$ \.xpi$ \.wmv$ \.mpeg$
acl nodst1 url_regex -i \.(bat|cmd|exe|pif|vbs|ade|adp)$
etc.
acl contenttype1 req_mime_type ^.*video.*$ ^.*audio.*$
acl contenttype1 req_mime_type video audio
acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$
acl checkua browser -i Mozilla/ ^Keyvelop$ ^ClamWin/
Maybe it would be more useful to add DansGuardian to your setup.
--
Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour.
Contactez votre administrateur pour plus de renseignement.
postmas...@ch-chaumont.fr
--
Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour.
Contactez votre administrateur pour plus de renseignement.
postmas...@ch-chaumont.fr
begin:vcard
fn:Erwann Pencreach
n:Pencreach;Erwann
org:Centre Hospitalier de Chaumont;Service Informatique
adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000
email;internet:erwann.pencre...@ch-chaumont.fr
title:Technicien Informatique
tel;work:0325357321
tel;fax:0325030674
x-mozilla-html:FALSE
version:2.1
end:vcard
Re: [squid-users] squid 3 acl browser
Ralf Hildebrandt a écrit : * Erwann PENCREACH : acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$ http_access deny !checkua ... In case I'm using MSIE, I shouldn't have my access granted, but I have, and getloggeduser.sh generate a log line. what's wrong ? What useragent does MSIE use? Here it uses: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)" which matches "^.*Mozilla/.*$" (or shorter : "Mozilla/") MSIE is using something including MSIE, but in fact I know that the only User-agents allowed to access the net are Mozilla Keyvelop and clamwin, that's why I've chosen to ban all UA but those 3 -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
* Erwann PENCREACH : > ok, I made changes > > nodst and contenttype acl works fine (I'll look later for squidguard and > dansguardian) > > browser filtering doesn't work at all > > external_acl works fine > > I don't understand what I'm doing wrong with User-agent filtering But I already told you. MSIE says it's Mozilla. Your regular expression is wrong.
Re: [squid-users] squid 3 acl browser
* Erwann PENCREACH : >> Here it uses: >> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET >> CLR 2.0.50727; .NET CLR 3.0.04506.30)" >> which matches >> >> "^.*Mozilla/.*$" (or shorter : "Mozilla/") > > MSIE is using something including MSIE, but in fact I know that the only > User-agents allowed to access the net are Mozilla Keyvelop and clamwin, > that's why I've chosen to ban all UA but those 3 But your ACL doesn't do that. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: [squid-users] squid 3 acl browser
Ralf Hildebrandt a écrit : * Erwann PENCREACH : ok, I made changes nodst and contenttype acl works fine (I'll look later for squidguard and dansguardian) browser filtering doesn't work at all external_acl works fine I don't understand what I'm doing wrong with User-agent filtering But I already told you. MSIE says it's Mozilla. Your regular expression is wrong. You're right I've just checked both User agents : # MSIE: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1 acl becomes : acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/ -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr -- Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
Erwann PENCREACH wrote: Ralf Hildebrandt a écrit : * Erwann PENCREACH : ok, I made changes nodst and contenttype acl works fine (I'll look later for squidguard and dansguardian) browser filtering doesn't work at all external_acl works fine I don't understand what I'm doing wrong with User-agent filtering But I already told you. MSIE says it's Mozilla. Your regular expression is wrong. You're right I've just checked both User agents : # MSIE: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1 acl becomes : acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/ Mozilla and Gecko are both engines that generate HTTP requests and parse HTTP replies on demand. Along with various other HTTP related activities. They are both used in a vast number of browsers and browser clones and fake agents. I would guess you actually want the "Firefox" branding interface for Gecko. Commonly known as the Mozilla Firefox web browser. User-Agent: is easily forged, so don't hang your security on it please. It's best to use it only in deny (ie for unknowns and non-matching) and leave the allow permissions to more strict ACL types. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.8
Re: [squid-users] squid 3 acl browser
Amos Jeffries a écrit : Erwann PENCREACH wrote: Ralf Hildebrandt a écrit : * Erwann PENCREACH : ok, I made changes nodst and contenttype acl works fine (I'll look later for squidguard and dansguardian) browser filtering doesn't work at all external_acl works fine I don't understand what I'm doing wrong with User-agent filtering But I already told you. MSIE says it's Mozilla. Your regular expression is wrong. You're right I've just checked both User agents : # MSIE: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1 acl becomes : acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/ Mozilla and Gecko are both engines that generate HTTP requests and parse HTTP replies on demand. Along with various other HTTP related activities. They are both used in a vast number of browsers and browser clones and fake agents. I would guess you actually want the "Firefox" branding interface for Gecko. Commonly known as the Mozilla Firefox web browser. User-Agent: is easily forged, so don't hang your security on it please. It's best to use it only in deny (ie for unknowns and non-matching) and leave the allow permissions to more strict ACL types. Amos you're right, that's why I deny all but those three UA firefox, isn't the solution, cause the debian port is called Iceweasel filtering on gecko allows Firefox, Thunderbird, Iceweasel and Icedove to go through this acl, and let the following acl do the rest of filtering. All the security, isn't done by the proxy. Our users aren't able to install any software on the computers so chance to have an other browser is minimal -- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmas...@ch-chaumont.fr begin:vcard fn:Erwann Pencreach n:Pencreach;Erwann org:Centre Hospitalier de Chaumont;Service Informatique adr;dom:;;2 rue Jeanne D'arc;Chaumont;;52000 email;internet:erwann.pencre...@ch-chaumont.fr title:Technicien Informatique tel;work:0325357321 tel;fax:0325030674 x-mozilla-html:FALSE version:2.1 end:vcard
Re: [squid-users] squid 3 acl browser
On Wed, 24 Jun 2009 15:43:07 +0200, Erwann PENCREACH wrote: > Amos Jeffries a écrit : >> Erwann PENCREACH wrote: >>> Ralf Hildebrandt a écrit : * Erwann PENCREACH : > ok, I made changes > > nodst and contenttype acl works fine (I'll look later for squidguard > and dansguardian) > > browser filtering doesn't work at all > > external_acl works fine > > I don't understand what I'm doing wrong with User-agent filtering But I already told you. MSIE says it's Mozilla. Your regular expression is wrong. >>> You're right I've just checked both User agents : >>> >>> # MSIE: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >>> 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) >>> # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; >>> rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1 >>> >>> acl becomes : >>> >>> acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/ >>> >> >> Mozilla and Gecko are both engines that generate HTTP requests and parse >> HTTP replies on demand. Along with various other HTTP related >> activities. They are both used in a vast number of browsers and browser >> clones and fake agents. >> >> I would guess you actually want the "Firefox" branding interface for >> Gecko. Commonly known as the Mozilla Firefox web browser. >> >> User-Agent: is easily forged, so don't hang your security on it please. >> It's best to use it only in deny (ie for unknowns and non-matching) and >> leave the allow permissions to more strict ACL types. >> >> Amos > > you're right, that's why I deny all but those three UA > > firefox, isn't the solution, cause the debian port is called Iceweasel > > filtering on gecko allows Firefox, Thunderbird, Iceweasel and Icedove to > go through this acl, and let the following acl do the rest of filtering. > > All the security, isn't done by the proxy. Our users aren't able to > install any software on the computers so chance to have an other browser > is minimal > Cool. You do seem a lot more clued in than previous posts would suggest :) Amos
