[squid-users] Need advice on some crazy access control requirements

Amos Jeffries squid3 at treenet.co.nz
Fri Mar 11 05:00:30 UTC 2016 

On 11/03/2016 4:31 p.m., Victor Sudakov wrote:
> Dear Colleagues,
> 
> New Internet access rules are being introduced in our company, among
> them there is a requirement to have special groups of Internet users
> who are permitted to: 
> 
> 1. Download files from the Internet.
> 

That one is easy. *everything* in HTTP is downloaded. It is only how you
view it that changes (in-browser vs. out-of-browser).

 "http_access deny all"

But perhapse there is a more detailed definition of "files" that was
intended.


> 2. Use Web forums.


> 
> 3. Use streaming audio/video.
> 
> By default users should have no access to the above facilities.
> 
> These requirements may sound stupid and vague to some, but is there a
> way to accomodate them at least partially, without keeping long lists
> of prohibited file extensions and domains, which is very
> counterproductive?


Not stupid at all. There are some good reasons any of these might be
needed. The vagueness is the main problem.


> 1. Download files from the Internet.
>

That one is easy >:-). *everything* in HTTP is downloaded. It is only
how you view it that changes (in-browser vs. out-of-browser).

So:
  "http_access deny all"

But perhapse there is a more detailed definition of "files" that was
intended. See the example for #3 below. Once you can narrow down *what
types* of files are relevant (audio, video, executables, archives, pdf,
text, flash, etc, etc ?) you can use reply content-type restriction to
control them arriving.
 NP: Squid will still fetch them from the server (we cant stop that at
least starting to arrive), but be blocked from delivering to the user.

Note that streaming (#3) is just a audio/video file being downloaded. It
happens to be being played at the same time. But it is still a download.


> 2. Use Web forums.

Likewise. Anything in www can be a forum. To do anything useful "forums"
needs to be defined in a technical way. As does "use".

I expect this one will end up being a long list of domains just by itself.

>
> 3. Use streaming audio/video.

This is somewhat easier than #1. Since "audio/video" is already a clear
technical definition.

<http://wiki.squid-cache.org/ConfigExamples/#Multimedia_and_Data_Stream_filtering>

Example is not complete by any means. But demonstrates how to do it for
the AV stuff you want to block.

You may also want to use:

 acl radio proto ICY
 http_reply_access deny radio


> 
> I am perfectly aware that an advanced Internet user will be able to
> circumvent those prohibitions, but still, any recipes? I have looked
> in http://wiki.squid-cache.org/SquidFaq/SquidAcl but found nothing
> very useful.

Without technical definitions for "files", "forums", and "use" its all
just too vague.

Amos

More information about the squid-users mailing list