allowing zip only for a specific url regex

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

allowing zip only for a specific url regex

robert k Wild
hi all,

i wanto to allow only zip files via a specific url regex

atm im allowing all attachments


could i do this to lock it down to only zips


thanks,
rob

--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: allowing zip only for a specific url regex

Amos Jeffries
Administrator
On 5/05/20 11:38 pm, robert k Wild wrote:

> hi all,
>
> i wanto to allow only zip files via a specific url regex
>
> atm im allowing all attachments
>
> ^https://attachments.office.net/owa/.*
>
> could i do this to lock it down to only zips
>
> ^https://attachments.office.net/owa/.zip
>

That regex will only match a small set of URLs which are unlikely ever
to exist.

What you want is:

 acl downloads url_regex https://attachments.office.net/owa/
 acl dotZip urlpath_regex \.zip(\?)?.*$
 http_access allow downloads !dotZip

 acl zipCt rep_header Content-Type application/zip
 http_reply_access deny zipCt


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: allowing zip only for a specific url regex

robert k Wild
cool thanks Amos :)

if your interested these are my lines in my config

#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"

#deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access allow special_url
http_reply_access deny mimetype

urlspecial.txt


mimedeny.txt

application/octet-stream
application/x-msi
application/zip
application/vnd.ms-cab-compressed

is this the best way of doing it?

thanks,
rob


On Tue, 5 May 2020 at 13:27, Amos Jeffries <[hidden email]> wrote:
On 5/05/20 11:38 pm, robert k Wild wrote:
> hi all,
>
> i wanto to allow only zip files via a specific url regex
>
> atm im allowing all attachments
>
> ^https://attachments.office.net/owa/.*
>
> could i do this to lock it down to only zips
>
> ^https://attachments.office.net/owa/.zip
>

That regex will only match a small set of URLs which are unlikely ever
to exist.

What you want is:

 acl downloads url_regex https://attachments.office.net/owa/
 acl dotZip urlpath_regex \.zip(\?)?.*$
 http_access allow downloads !dotZip

 acl zipCt rep_header Content-Type application/zip
 http_reply_access deny zipCt


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--
Regards,

Robert K Wild.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: allowing zip only for a specific url regex

Amos Jeffries
Administrator
On 6/05/20 12:42 am, robert k Wild wrote:

> cool thanks Amos :)
>
> if your interested these are my lines in my config
>
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
>
> #deny MIME types
> acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
> http_reply_access allow special_url

The above is wrong. It is allowing by URL, regardless of the mime type.

> http_reply_access deny mimetype
>

That is the opposite of your stated requirement. It will *prevent* the
mime type check from identifying downloads in the special_url.

A better way to write the above policy would be:

  http_reply_access deny !special_url mimetype


Also, be aware that http_reply_access denial only prevents the download
reaching the client. It still has to be fully downloaded by Squid - lots
of bandwidth and processing cycles wasted.
 If you are blocking traffic by URL do that in http_access instead.


Do not put .* on the end of regex patterns. That only forces the regex
library to scan longer than necessary and waste memory.

Also this pattern:

 ^http://www.eztitles.com/download.php?

actually means:

 ^http://www.eztitles.com/download.ph

('?' is a regex special character. Like '*' it is deceptively harmful at
the start or end of a pattern)


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: allowing zip only for a specific url regex

robert k Wild
Thanks Amos,

so how would I allow these urls with a wild card then 



Would I do this


Thanks,
Rob

On Tue, 5 May 2020, 14:04 Amos Jeffries, <[hidden email]> wrote:
On 6/05/20 12:42 am, robert k Wild wrote:
> cool thanks Amos :)
>
> if your interested these are my lines in my config
>
> #allow special URL paths
> acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
>
> #deny MIME types
> acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
> http_reply_access allow special_url

The above is wrong. It is allowing by URL, regardless of the mime type.

> http_reply_access deny mimetype
>

That is the opposite of your stated requirement. It will *prevent* the
mime type check from identifying downloads in the special_url.

A better way to write the above policy would be:

  http_reply_access deny !special_url mimetype


Also, be aware that http_reply_access denial only prevents the download
reaching the client. It still has to be fully downloaded by Squid - lots
of bandwidth and processing cycles wasted.
 If you are blocking traffic by URL do that in http_access instead.


> urlspecial.txt
>
> http://updater.maxon.net/server_test
> http://updater.maxon.net/customer/R21.0/updates15
> http://updater.maxon.net/customer/general/updates15
> ^http://ccmdl.adobe.com/AdobeProducts/KCCC/1/win64/packages/.*
> ^http://ccmdl.adobe.com/AdobeProducts/KCCC/1/osx10/packages/.*
> ^http://www.eztitles.com/download.php?
> ^https://attachments.office.net/owa/.*
>

Do not put .* on the end of regex patterns. That only forces the regex
library to scan longer than necessary and waste memory.

Also this pattern:

 ^http://www.eztitles.com/download.php?

actually means:

 ^http://www.eztitles.com/download.ph

('?' is a regex special character. Like '*' it is deceptively harmful at
the start or end of a pattern)


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: allowing zip only for a specific url regex

Amos Jeffries
Administrator
On 6/05/20 1:39 am, robert k Wild wrote:

> Thanks Amos,
>
> so how would I allow these urls with a wild card then 
>
> Http://domain.com/path/1/to/any/where
>
> Http://domain.com/path/2/to/any/where
>
> Would I do this
>
> Http://domain.com/path/*
>

No. As the url_regex ACL name says, these are regex patterns.

You have to use special anchors (^ and $) to *prevent* them being
wildcard matches.

Simply do like this:

  ^http://domain\.com/path/



Cheers
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: allowing zip only for a specific url regex

robert k Wild
Thanks a lot Amos, as always you have been very helpful

Much appreciated mate

Rob

On Tue, 5 May 2020, 14:55 Amos Jeffries, <[hidden email]> wrote:
On 6/05/20 1:39 am, robert k Wild wrote:
> Thanks Amos,
>
> so how would I allow these urls with a wild card then 
>
> Http://domain.com/path/1/to/any/where
>
> Http://domain.com/path/2/to/any/where
>
> Would I do this
>
> Http://domain.com/path/*
>

No. As the url_regex ACL name says, these are regex patterns.

You have to use special anchors (^ and $) to *prevent* them being
wildcard matches.

Simply do like this:

  ^http://domain\.com/path/



Cheers
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users