[squid-users] squid 3 acl browser from Erwann PENCREACH on 2009-06-24 (squid-users)

From: Erwann PENCREACH <erwann.pencreach_at_ch-chaumont.fr>
Date: Wed, 24 Jun 2009 10:43:21 +0200

Hi all,

I'm configuring a squid 3 proxy and I want, to deny access to all
unwanted browsers but that is not working.

here are my current acl :

****************************************************************************
acl all_src src 0.0.0.0/0.0.0.0

acl nodst url_regex ^.*sex.*$ ^.*porn.*$ ^.*hack.*$ ^.*crack.*$ ^.*drug.*$
acl nodst1 url_regex -i \.bat$ \.cmd$ \.exe$ \.pif$ \.vbs$ \.ade$ \.adp$
acl nodst2 url_regex -i \.bas$ \.chm$ \.cpl$ \.eml$ \.hlp$ \.hta$ \.inf$
acl nodst3 url_regex -i \.ins$ \.isp$ \.jse$ \.lnk$ \.msc$ \.msi$ \.msp$
acl nodst4 url_regex -i \.mst$ \.reg$ \.sct$ \.shs$ \.vb$ \.vbe$ \.vbs$
acl nodst5 url_regex -i \.wav$ \.avi$ \.ogg$ \.wma$ \.wme$ \.wsc$ \.wsf$
acl nodst6 url_regex -i \.wsh$ \.sh$ \.mp3$ \.scr$ \.cab$ \.zip$ \.tar$
acl nodst7 url_regex -i \.gz$ \.bz2$ \.xpi$ \.wmv$ \.mpeg$
acl contenttype1 req_mime_type ^.*video.*$ ^.*audio.*$

http_access deny all_src nodst
http_access deny all_src nodst1
http_access deny all_src nodst2
http_access deny all_src nodst3
http_access deny all_src nodst4
http_access deny all_src nodst5
http_access deny all_src nodst6
http_access deny all_src nodst7
request_header_access Content-Type deny contenttype1

acl checkua browser -i ^.*Mozilla/.*$ ^Keyvelop$ ^ClamWin/.*$
http_access deny !checkua

external_acl_type authuser %DST %SRC [a secret path]/getloggeduser.sh
acl isok external authuser
http_access allow isok

http_access deny all
****************************************************************************

getloggeduser.sh is retrieving the user logged on the host, and checking
his access right (full or restricted) against ldap ; in case of full
rights or restricted rights (if dst is allowed) it return OK
user=USERNAME. If user has no rights or if dst is not allowed, it return
err user=USERNAME. it also log datetime username rights, url and if
access is granted or not.

In case I'm using MSIE, I shouldn't have my access granted, but I have,
and getloggeduser.sh generate a log line.

what's wrong ?

thanks for your help

In case It can change something, I'm using squid3 on debian lenny (arch
amd64)

--
Ce courrier �lectronique a �t� v�rifi� et est exempt de virus connus � ce jour.
Contactez votre administrateur pour plus de renseignement.
postmaster_at_ch-chaumont.fr

text/x-vcard attachment: erwann_pencreach.vcf

Received on Wed Jun 24 2009 - 08:43:40 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 24 2009 - 12:00:04 MDT