[squid-users] i want to block images with size more than 40 KB

snakeeyes ahmed.zaeem at netstream.ps
Fri Mar 20 23:12:44 UTC 2015 

I did try with google.com and yahoo.com

It seems not blocking images there 

Can u help with that plz ?

-----Original Message-----
From: snakeeyes [mailto:ahmed.zaeem at netstream.ps] 
Sent: Friday, March 20, 2015 4:06 PM
To: 'Amos Jeffries'
Cc: squid-users at lists.squid-cache.org
Subject: RE: [squid-users] i want to block images with size more than 40 KB

Hi amos , thanks for reply
I have tried @ top of squidf.conf

acl images rep_header Content-Type ^image/ ^x-image/ acl small rep_header Content-Length ^[1234]?[0-9]$ http_reply_access deny small images

are you sure that its blocking images with size >40KB ????
also I didn’t see extensions like jpg or bmp or similar like that ??!!

I have used many several sites , its being all allowed Can you  advise ?




regards

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Wednesday, March 18, 2015 9:41 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] i want to block images with size more than 40 KB

On 19/03/2015 1:35 p.m., snakeeyes wrote:
> Thank you so much  Amos and leonardo
> Can you provide me any sample config to start with ?
> I feel it so difficult to me .
> I had a look @ ""ACL elements"" section in thw wiki about matching size of image but didn’t find clear thing.
> So again I feel that I will create access list that match size > than 50 Byte and with mime type like jpg or bmp and then deny it.
> 
> Could you help me with startup config plz ?

You mean hand over a cut-n-paste example that you can use and when things go wrong not understand how to fix?

Sure:
 acl images rep_header Content-Type ^image/ ^x-image/  acl small rep_header Content-Length ^[1234]?[0-9]$  http_reply_access deny small images


BUT like Leonardo said, censoring the Internet not as easy as all that.

* Images come in *many* data formats (Content-Type values), some of which are shared with other non-image things - like octet-stream which literally means "unknown binary data". They can come embedded inside other objects, JSON, CSS, archive files (like zip / gzip / xz / ar /
cab) ... even plain old HTML can have base64 blobs of image data in them which gets decoded by a script... and so on.

For every point of censorship there is a bypass.

* The Content-Length is also not guaranteed to be existing. The object may be of undefined length streamed in small chunks or as a blob with no size known until the end of the transaction.


What it comes down to is that you need to know exactly what you are looking for in the protocol, and use the appropriate ACL types to match with. Which in turn requires knowing what ACLs you have available and how to use them to construct *_access rules matching your needs.


When you do have to make abnormal things happen be as precise and specific as you can. Every bit of fuzz/approximation *will* cause trouble at some point during production traffic.


So, why are you doing this?

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list