[squid-users] rep_mime_type, http_reply_access and external_acl

From: Christoph Haas <email@dont-contact.us>
Date: Tue, 17 Feb 2004 12:37:30 +0100

Hi, list...

I'm trying to increase security a little at our company proxy. Until now we
only used regexps to look for content we do not users to access. Obviously that
is easy to work around (rename the .EXE to .JPG and you are set). So I wanted
at least to use MIME header ACLs to block certain rep_mime_header types.

We are using LDAP authentication with groups (external_acl) to manage different
access levels. The default level can only access HTML files and graphics (png,
gif, jpg). Advanced users should get any kind of content.

Unfortunately there seem to be problems still using rep_mime_header and
external_acl. Hendrik once said (2003-08-10 06:50:55 PST/Re: [squid-users]
external_acl and http_reply_access) that "external acl methods is not suitable
for use in http_reply_access as http_reply_access can not wait for any external
lookups to complete".

I understand that it is problematic to wait for the external helper. However is
this supported? My experiments using according ACLs did not work out. We are
using the 2.5-stable 4 version in our production environment.

How could I use both authorization groups and mime-type reply filtering?
Would I need to run 3.0? Is it stable enough? How much has changed?

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All
Received on Tue Feb 17 2004 - 04:37:32 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST