[squid-users] i want to block images with size more than 40 KB

[Amos Jeffries]

On 19/03/2015 1:35 p.m., snakeeyes wrote:
> Thank you so much  Amos and leonardo
> Can you provide me any sample config to start with ?
> I feel it so difficult to me .
> I had a look @ ""ACL elements"" section in thw wiki about matching size of image but didn’t find clear thing.
> So again I feel that I will create access list that match size > than 50 Byte and with mime type like jpg or bmp and then deny it.
> 
> Could you help me with startup config plz ?

You mean hand over a cut-n-paste example that you can use and when
things go wrong not understand how to fix?

Sure:
 acl images rep_header Content-Type ^image/ ^x-image/
 acl small rep_header Content-Length ^[1234]?[0-9]$
 http_reply_access deny small images


BUT like Leonardo said, censoring the Internet not as easy as all that.

* Images come in *many* data formats (Content-Type values), some of
which are shared with other non-image things - like octet-stream which
literally means "unknown binary data". They can come embedded inside
other objects, JSON, CSS, archive files (like zip / gzip / xz / ar /
cab) ... even plain old HTML can have base64 blobs of image data in them
which gets decoded by a script... and so on.

For every point of censorship there is a bypass.

* The Content-Length is also not guaranteed to be existing. The object
may be of undefined length streamed in small chunks or as a blob with no
size known until the end of the transaction.


What it comes down to is that you need to know exactly what you are
looking for in the protocol, and use the appropriate ACL types to match
with. Which in turn requires knowing what ACLs you have available and
how to use them to construct *_access rules matching your needs.


When you do have to make abnormal things happen be as precise and
specific as you can. Every bit of fuzz/approximation *will* cause
trouble at some point during production traffic.


So, why are you doing this?

Amos