[squid-users] Need advice on some crazy access control requirements

Victor Sudakov sudakov at sibptus.tomsk.ru
Mon Mar 14 11:41:51 UTC 2016 

Amos Jeffries wrote:
> > 
> > New Internet access rules are being introduced in our company, among
> > them there is a requirement to have special groups of Internet users
> > who are permitted to: 
> > 
> > 1. Download files from the Internet.
> 
> > 2. Use Web forums.
> > 
> > 3. Use streaming audio/video.
> > 
> > By default users should have no access to the above facilities.
> > 
> > These requirements may sound stupid and vague to some, but is there a
> > way to accomodate them at least partially, without keeping long lists
> > of prohibited file extensions and domains, which is very
> > counterproductive?
> 
> 
> Not stupid at all. There are some good reasons any of these might be
> needed. The vagueness is the main problem.

Please see below about vagueness.

> 
> > 1. Download files from the Internet.
> >
> 
> That one is easy >:-). *everything* in HTTP is downloaded. It is only
> how you view it that changes (in-browser vs. out-of-browser).
> 
> So:
>   "http_access deny all"
> 
> But perhapse there is a more detailed definition of "files" that was
> intended. See the example for #3 below. Once you can narrow down *what
> types* of files are relevant (audio, video, executables, archives, pdf,
> text, flash, etc, etc ?) you can use reply content-type restriction to
> control them arriving.

They probably meant executable files. Or large files like mp3s and
videos.

If an executable file is of the generic application/octet-stream type,
how would you apply the content-type restriction?

>  NP: Squid will still fetch them from the server (we cant stop that at
> least starting to arrive), but be blocked from delivering to the user.
> 
> Note that streaming (#3) is just a audio/video file being downloaded. It
> happens to be being played at the same time. But it is still a download.
> 
> 
> > 2. Use Web forums.
> 
> Likewise. Anything in www can be a forum. To do anything useful "forums"
> needs to be defined in a technical way. As does "use".

Deny the POST method? :-)

> 
> I expect this one will end up being a long list of domains just by itself.

Can you advise such lists for use with squid (both community supported
and commercial)?

> 
> >
> > 3. Use streaming audio/video.
> 
> This is somewhat easier than #1. Since "audio/video" is already a clear
> technical definition.
> 
> <http://wiki.squid-cache.org/ConfigExamples/#Multimedia_and_Data_Stream_filtering>

Thanks for the link, it is useful.

> Example is not complete by any means. But demonstrates how to do it for
> the AV stuff you want to block.
> 
> You may also want to use:
> 
>  acl radio proto ICY
>  http_reply_access deny radio
> 
> 
> > 
> > I am perfectly aware that an advanced Internet user will be able to
> > circumvent those prohibitions, but still, any recipes? I have looked
> > in http://wiki.squid-cache.org/SquidFaq/SquidAcl but found nothing
> > very useful.
> 
> Without technical definitions for "files", "forums", and "use" its all
> just too vague.

I believe the authors of the document had in mind some commercial
Web filtering system with an easy-to-use interface for
permitting/blocking certain categories of sites. From their point of
view, perhaps, those definitions are as clear as radio buttons and
menus in some commercial Web filter (e.g. SkyDNS), and the technical
definitions are left to the vendor.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru

More information about the squid-users mailing list