Re: Support for cern like Pass/Fail proxy limits?

From: Cord Beermann, Webmaster der FH Lippe <[email protected]>
Date: Mon, 25 Nov 1996 22:38:47 +0100 (MET)

Hallo! Du (Jeff Evans) hast geschrieben:

> Squid seems to be the perfect replacement (and a damn speedy cache), but
>I can't seem to see any way to restrict or redirect URL's similar to Cern's
>Pass and Fail commands. Does someone have a plug in module that creates
>this functionality (and uses the exact same syntax as Cern :)? Possibly
>working with the URL Redirector in 1.1.beta23.
> Any information would be greatly appreciated.

I thought about redirector first, too, but squid has all needs built
in.

This is how I do this task:

acl all src 0.0.0.0/0.0.0.0
acl dirtydomain dstdomain "/var/proxy/www/squid/etc/dirtydomain"
acl dirtybranch url_regex "/var/proxy/www/squid/etc/dirtybranch"

http_access deny dirtydomain
http_access deny dirtybranch

http_access allow all

deny_info http://foo.bar.net/ERROR/dirty-pictures.html dirtydomain dirtybranch

$ cat /var/proxy/www/squid/etc/dirtydomain
adult.com
adults.com
cyberporn.com

$ cat /var/proxy/www/squid/etc/dirtybranch
100hot.com/xxx

and so on...

This method works for me, but it leaves one hole wide open: You can
access the 'bad' pages with the IP-Address. So I had to deny such
requests. I have a small positive list where I put 'trusted' IPs in.

A redirector which does IP2Addr-conversion does'nt work because the
results were never checked with the acl-rules.

Now i'm thinking of getting all IPs of the 'bad' hosts and deny
them, because Squid can check host-->IP, but not the other way
round. (I have tried to implement this, but ... :( )

But this isn't a good way, because HTTP/1.1 supports an 'Host:'-Header
which can get different contents from one Server on one IP.
So it would be nicer if someone can add an IP-->Host check for an
acl-rule (more likely, all tools are in the source, you have only to
put it together ;-) or put in a switch where we can select between pre- or
post- redirector acl-check.

Cord.

PS: Conversion from CERN-Pass/Fail to Squid-rules should be a small
job for perl or shell-scripts.

-- 
Cord Beermann, Webmaster der FH Lippe
[email protected] | http://www.fh-lippe.de/fhl/dvz/webadm/
Received on Mon Nov 25 1996 - 13:39:16 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:38 MST