[squid-users] Need advice on some crazy access control requirements
Rafael Akchurin
rafael.akchurin at diladele.com
Mon Mar 14 17:08:02 UTC 2016
Hello Victor,
In order to scan the contents of the files being downloaded you might need to have eCAP or ICAP module/server attached to your Squid.
Best regards,
Rafael Akchurin
Diladele B.V.
--
Please take a look at Web Safety - our ICAP based web filter server for Squid proxy
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Victor Sudakov
Sent: Monday, March 14, 2016 12:42 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Need advice on some crazy access control requirements
Amos Jeffries wrote:
> >
> > New Internet access rules are being introduced in our company, among
> > them there is a requirement to have special groups of Internet users
> > who are permitted to:
> >
> > 1. Download files from the Internet.
>
> > 2. Use Web forums.
> >
> > 3. Use streaming audio/video.
> >
> > By default users should have no access to the above facilities.
> >
> > These requirements may sound stupid and vague to some, but is there
> > a way to accomodate them at least partially, without keeping long
> > lists of prohibited file extensions and domains, which is very
> > counterproductive?
>
>
> Not stupid at all. There are some good reasons any of these might be
> needed. The vagueness is the main problem.
Please see below about vagueness.
>
> > 1. Download files from the Internet.
> >
>
> That one is easy >:-). *everything* in HTTP is downloaded. It is only
> how you view it that changes (in-browser vs. out-of-browser).
>
> So:
> "http_access deny all"
>
> But perhapse there is a more detailed definition of "files" that was
> intended. See the example for #3 below. Once you can narrow down *what
> types* of files are relevant (audio, video, executables, archives,
> pdf, text, flash, etc, etc ?) you can use reply content-type
> restriction to control them arriving.
They probably meant executable files. Or large files like mp3s and videos.
If an executable file is of the generic application/octet-stream type, how would you apply the content-type restriction?
> NP: Squid will still fetch them from the server (we cant stop that at
> least starting to arrive), but be blocked from delivering to the user.
>
> Note that streaming (#3) is just a audio/video file being downloaded.
> It happens to be being played at the same time. But it is still a download.
>
>
> > 2. Use Web forums.
>
> Likewise. Anything in www can be a forum. To do anything useful "forums"
> needs to be defined in a technical way. As does "use".
Deny the POST method? :-)
>
> I expect this one will end up being a long list of domains just by itself.
Can you advise such lists for use with squid (both community supported and commercial)?
>
> >
> > 3. Use streaming audio/video.
>
> This is somewhat easier than #1. Since "audio/video" is already a
> clear technical definition.
>
> <http://wiki.squid-cache.org/ConfigExamples/#Multimedia_and_Data_Strea
> m_filtering>
Thanks for the link, it is useful.
> Example is not complete by any means. But demonstrates how to do it
> for the AV stuff you want to block.
>
> You may also want to use:
>
> acl radio proto ICY
> http_reply_access deny radio
>
>
> >
> > I am perfectly aware that an advanced Internet user will be able to
> > circumvent those prohibitions, but still, any recipes? I have looked
> > in http://wiki.squid-cache.org/SquidFaq/SquidAcl but found nothing
> > very useful.
>
> Without technical definitions for "files", "forums", and "use" its all
> just too vague.
I believe the authors of the document had in mind some commercial Web filtering system with an easy-to-use interface for permitting/blocking certain categories of sites. From their point of view, perhaps, those definitions are as clear as radio buttons and menus in some commercial Web filter (e.g. SkyDNS), and the technical definitions are left to the vendor.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list