歡迎您光臨本站 註冊首頁

squid2.6中禁止下載exe,mpe,rar好象無效!

←手機掃碼閱讀     火星人 @ 2014-03-04 , reply:0

squid2.6中禁止下載exe,mpe,rar好象無效!

在squid2.6里添加acl badfile1 urlpath_regex -i \.mp3$\.exe$\.rar$
                          http_access deny badfile1
將squid reload后在 客戶機上還是可以下載mp3,這怎麼回事,語句是加在http_access deny all 之前的.
《解決方案》

幫個忙啊!

有時間提示下啊!
《解決方案》

大家幫忙頂下啊!

大家幫忙頂下啊!
《解決方案》

你給出的信息太少了,不過按照你這個做法,本身是沒有問題的
我個人估計是你的其他acl在這條以前起了作用,所以這個限制就無效了
仔細檢查一下你的所有acl,然後再問問題
《解決方案》

回復 #4 jinl 的帖子

基本上在squid里沒有添加什麼acl控制語句,除了
acl our_networking src 192.168.1.0/24
     http_access allow our_networking
允許客戶機上網  其他都沒動,我把
acl badfile1 urlpath_regex -i \.mp3$\.exe$\.rar$
                          http_access deny badfile1 加在它前面和後面都沒有用.我也不知道怎麼回事.下面是squid2.6的部分語句,請看看有什麼問題

# ACCESS CONTROLS
# -----------------------------------------------------------------------------

#  TAG: acl
#        Defining an Access List
#
#        acl aclname acltype string1 ...
#        acl aclname acltype "file" ...
#
#        when using "file", the file should contain one item per line
#
#        acltype is one of the types described below
#
#        By default, regular expressions are CASE-SENSITIVE.  To make
#        them case-insensitive, use the -i option.
#
#        acl aclname src      ip-address/netmask ... (clients IP address)
#        acl aclname src      addr1-addr2/netmask ... (range of addresses)
#        acl aclname dst      ip-address/netmask ... (URL host's IP address)
#        acl aclname myip     ip-address/netmask ... (local socket IP address)
#
#        acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#          # The arp ACL requires the special configure option --enable-arp-acl.
#          # Furthermore, the arp ACL code is not portable to all operating systems.
#          # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
#          #
#          # NOTE: Squid can only determine the MAC address for clients that are on
#          # the same subnet. If the client is on a different subnet, then Squid cannot
#          # find out its MAC address.
#
#        acl aclname srcdomain   .foo.com ...    # reverse lookup, client IP
#        acl aclname dstdomain   .foo.com ...    # Destination server from URL
#        acl aclname srcdom_regex [-i] xxx ...   # regex matching client name
#        acl aclname dstdom_regex [-i] xxx ...   # regex matching server
#          # For dstdomain and dstdom_regex  a reverse lookup is tried if a IP
#          # based URL is used and no match is found. The name "none" is used
#          # if the reverse lookup fails.
#
#        acl aclname time       
#            day-abbrevs:
#                S - Sunday
#                M - Monday
#                T - Tuesday
#                W - Wednesday
#                H - Thursday
#                F - Friday
#                A - Saturday
#            h1:m1 must be less than h2:m2
#        acl aclname url_regex [-i] ^http:// ...        # regex matching on whole URL
#        acl aclname urlpath_regex [-i] \.gif$ ...        # regex matching on URL path
#        acl aclname urllogin [-i] [^a-zA-Z0-9] ...        # regex matching on URL login field
#        acl aclname port     80 70 21 ...
#        acl aclname port     0-1024 ...                # ranges allowed
#        acl aclname myport   3128 ...                # (local socket TCP port)
#        acl aclname proto    HTTP FTP ...
#        acl aclname method   GET POST ...
#        acl aclname browser  [-i] regexp ...
#          # pattern match on User-Agent header (see also req_header below)
#        acl aclname referer_regex  [-i] regexp ...
#          # pattern match on Referer header
#          # Referer is highly unreliable, so use with care
#        acl aclname ident    username ...
#        acl aclname ident_regex [-i] pattern ...
#          # string match on ident output.
#          # use REQUIRED to accept any non-null ident.
#        acl aclname src_as   number ...
#        acl aclname dst_as   number ...
#          # Except for access control, AS numbers can be used for
#          # routing of requests to specific caches. Here's an
#          # example for routing all requests for AS#1241 and only
#          # those to mycache.mydomain.net:
#          # acl asexample dst_as 1241
#          # cache_peer_access mycache.mydomain.net allow asexample
#          # cache_peer_access mycache_mydomain.net deny all
#
#        acl aclname proxy_auth [-i] username ...
#        acl aclname proxy_auth_regex [-i] pattern ...
#          # list of valid usernames
#          # use REQUIRED to accept any valid username.
#          #
#          # NOTE: when a Proxy-Authentication header is sent but it is not
#          # needed during ACL checking the username is NOT logged
#          # in access.log.
#          #
#          # NOTE: proxy_auth requires a EXTERNAL authentication program
#          # to check username/password combinations (see
#          # auth_param directive).
#          #
#          # WARNING: proxy_auth can't be used in a transparent proxy. It
#          # collides with any authentication done by origin servers. It may
#          # seem like it works at first, but it doesn't.
#
#        acl aclname snmp_community string ...
#          # A community string to limit access to your SNMP Agent
#          # Example:
#          #
#          #        acl snmppublic snmp_community public
#
#        acl aclname maxconn number
#          # This will be matched when the client's IP address has
#          # more than <number> HTTP connections established.
#
#        acl aclname max_user_ip [-s] number
#          # This will be matched when the user attempts to log in from more
#          # than <number> different ip addresses. The authenticate_ip_ttl
#          # parameter controls the timeout on the ip entries.
#          # If -s is specified the limit is strict, denying browsing
#          # from any further IP addresses until the ttl has expired. Without
#          # -s Squid will just annoy the user by "randomly" denying requests.
#          # (the counter is reset each time the limit is reached and a
#          # request is denied)
#          # NOTE: in acceleration mode or where there is mesh of child proxies,
#          # clients may appear to come from multiple addresses if they are
#          # going through proxy farms, so a limit of 1 may cause user problems.
#
#        acl aclname req_mime_type mime-type1 ...
#          # regex match against the mime type of the request generated
#          # by the client. Can be used to detect file upload or some
#          # types HTTP tunneling requests.
#          # NOTE: This does NOT match the reply. You cannot use this
#          # to match the returned file type.
#
#        acl aclname req_header header-name [-i] any\.regex\.here
#          # regex match against any of the known request headers.  May be
#          # thought of as a superset of "browser", "referer" and "mime-type"
#          # ACLs.
#
#        acl aclname rep_mime_type mime-type1 ...
#          # regex match against the mime type of the reply received by
#          # squid. Can be used to detect file download or some
#          # types HTTP tunneling requests.
#          # NOTE: This has no effect in http_access rules. It only has
#          # effect in rules that affect the reply data stream such as
#          # http_reply_access.
#
#        acl aclname rep_header header-name [-i] any\.regex\.here
#          # regex match against any of the known response headers.
#          # Example:
#          #
#          # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
#
#        acl acl_name external class_name
#          # external ACL lookup via a helper class defined by the
#          # external_acl_type directive.
#
#        acl urlgroup group1 ...
#          # match against the urlgroup as indicated by redirectors
#
#        acl aclname user_cert attribute values...
#          # match against attributes in a user SSL certificate
#          # attribute is one of DN/C/O/CN/L/ST
#
#        acl aclname ca_cert attribute values...
#          # match against attributes a users issuing CA SSL certificate
#          # attribute is one of DN/C/O/CN/L/ST
#
#        acl aclname ext_user       username ...
#        acl aclname ext_user_regex [-i] pattern ...
#          # string match on username returned by external acl
#          # use REQUIRED to accept any user name.
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443                # https
acl Safe_ports port 70                # gopher
acl Safe_ports port 210                # wais
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280                # http-mgmt
acl Safe_ports port 488                # gss-http
acl Safe_ports port 591                # filemaker
acl Safe_ports port 777                # multiling http
acl CONNECT method CONNECT

#  TAG: follow_x_forwarded_for
#        Allowing or Denying the X-Forwarded-For header to be followed to
#        find the original source of a request.
#
#        Requests may pass through a chain of several other proxies
#        before reaching us.  The X-Forwarded-For header will contain a
#        comma-separated list of the IP addresses in the chain, with the
#        rightmost address being the most recent.
#
#        If a request reaches us from a source that is allowed by this
#        configuration item, then we consult the X-Forwarded-For header
#        to see where that host received the request from.  If the
#        X-Forwarded-For header contains multiple addresses, and if
#        acl_uses_indirect_client is on, then we continue backtracking
#        until we reach an address for which we are not allowed to
#        follow the X-Forwarded-For header, or until we reach the first
#        address in the list.  (If acl_uses_indirect_client is off, then
#        it's impossible to backtrack through more than one level of
#        X-Forwarded-For addresses.)
#
#        The end result of this process is an IP address that we will
#        refer to as the indirect client address.  This address may
#        be treated as the client address for access control, delay
#        pools and logging, depending on the acl_uses_indirect_client,
#        delay_pool_uses_indirect_client and log_uses_indirect_client
#        options.
#
#        SECURITY CONSIDERATIONS:
#
#                Any host for which we follow the X-Forwarded-For header
#                can place incorrect information in the header, and Squid
#                will use the incorrect information as if it were the
#                source address of the request.  This may enable remote
#                hosts to bypass any access control restrictions that are
#                based on the client's source addresses.
#
#        For example:
#
#                acl localhost src 127.0.0.1
#                acl my_other_proxy srcdomain .proxy.example.com
#                follow_x_forwarded_for allow localhost
#                follow_x_forwarded_for allow my_other_proxy
#
#Default:
# follow_x_forwarded_for deny all

#  TAG: acl_uses_indirect_client        on|off
#        Controls whether the indirect client address
#        (see follow_x_forwarded_for) is used instead of the
#        direct client address in acl matching.
#
#Default:
# acl_uses_indirect_client on

#  TAG: delay_pool_uses_indirect_client        on|off
#        Controls whether the indirect client address
#        (see follow_x_forwarded_for) is used instead of the
#        direct client address in delay pools.
#
#Default:
# delay_pool_uses_indirect_client on

#  TAG: log_uses_indirect_client        on|off
#        Controls whether the indirect client address
#        (see follow_x_forwarded_for) is used instead of the
#        direct client address in the access log.
#
#Default:
# log_uses_indirect_client on

#  TAG: http_access
#        Allowing or Denying access based on defined access lists
#
#        Access to the HTTP port:
#        http_access allow|deny [!]aclname ...
#
#        NOTE on default values:
#
#        If there are no "access" lines present, the default is to deny
#        the request.
#
#        If none of the "access" lines cause a match, the default is the
#        opposite of the last line in the list.  If the last line was
#        deny, the default is allow.  Conversely, if the last line
#        is allow, the default will be deny.  For these reasons, it is a
#        good idea to have an "deny all" or "allow all" entry at the end
#        of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

  acl our_networking src 192.168.1.0/24
     http_access allow our_networking
   acl badfile1 urlpath_regex -i \.mp3$\.exe$\.zip$\.rar$
     http_access deny badfile1
《解決方案》

"#http_access allow our_networks

  acl our_networking src 192.168.1.0/24
     http_access allow our_networking
   acl badfile1 urlpath_regex -i \.mp3$\.exe$\.zip$\.rar$
     http_access deny badfile1"
這樣的話,判斷our_networking條件滿足后,badfile的條件就不會再 起作用了
順序換一下,應該能禁止rar mp3 exe zip的下載,當然如果有些下載是通過php轉換,url裡面沒有實際文件名稱的,這樣做 是禁止不了的
《解決方案》

回復 #6 jinl 的帖子

換過位置了,但是baidu里的歌還是可以下的
《解決方案》

回復 #6 jinl 的帖子

可以禁止了,每個被禁止的項目之間應該空一格.但是用訊雷下載還是禁止不了.
《解決方案》

迅雷下載壓根就不會走squid的,你需要做的事情
1,在防火牆上設置,禁止所有人不通過代理上網,即封閉所有埠
2,在防火牆上設置對代理伺服器解禁,只有squid這台電腦可以上網
3,所有人員上網必須全部通過squid

這樣一來什麼迅雷,快車,ftp就都不能用了
除非有特殊申請的,再單獨配置
《解決方案》

回復 #9 liuhanzhao 的帖子

收到,試試先

[火星人 ] squid2.6中禁止下載exe,mpe,rar好象無效!已經有471次圍觀

http://coctec.com/docs/service/show-post-35815.html