[squid-users] allowing zip only for a specific url regex
Amos Jeffries
squid3 at treenet.co.nz
Tue May 5 13:02:55 UTC 2020
On 6/05/20 12:42 am, robert k Wild wrote:
> cool thanks Amos :)
>
> if your interested these are my lines in my config
>
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
>
> #deny MIME types
> acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
> http_reply_access allow special_url
The above is wrong. It is allowing by URL, regardless of the mime type.
> http_reply_access deny mimetype
>
That is the opposite of your stated requirement. It will *prevent* the
mime type check from identifying downloads in the special_url.
A better way to write the above policy would be:
http_reply_access deny !special_url mimetype
Also, be aware that http_reply_access denial only prevents the download
reaching the client. It still has to be fully downloaded by Squid - lots
of bandwidth and processing cycles wasted.
If you are blocking traffic by URL do that in http_access instead.
> urlspecial.txt
>
> http://updater.maxon.net/server_test
> http://updater.maxon.net/customer/R21.0/updates15
> http://updater.maxon.net/customer/general/updates15
> ^http://ccmdl.adobe.com/AdobeProducts/KCCC/1/win64/packages/.*
> ^http://ccmdl.adobe.com/AdobeProducts/KCCC/1/osx10/packages/.*
> ^http://www.eztitles.com/download.php?
> ^https://attachments.office.net/owa/.*
>
Do not put .* on the end of regex patterns. That only forces the regex
library to scan longer than necessary and waste memory.
Also this pattern:
^http://www.eztitles.com/download.php?
actually means:
^http://www.eztitles.com/download.ph
('?' is a regex special character. Like '*' it is deceptively harmful at
the start or end of a pattern)
Amos
More information about the squid-users
mailing list