Re: Some other ideas

To: debian-edu@lists.debian.org
Subject: Re: Some other ideas
From: RalfGesellensetter <rgx@gmx.de>
Date: Thu, 15 Nov 2007 14:57:25 +0100
Message-id: <[🔎] 200711151457.25413.rgx@gmx.de>
In-reply-to: <1192808709.7537.45.camel@localhost>
References: <1192808709.7537.45.camel@localhost>

Am Freitag 19 Oktober 2007 schrieb José L. Redrejo Rodríguez:
> acl no_ie browser MSIE
> http_access deny no_ie
> #allowing windowsupdate with ie:
> acl windowsupdate dstdomain .windowsupdate.com
> acl windowsupdate dstdomain .microsoft.com
> acl windowsupdate dstdomain .public-trust.com
> acl windowsupdate dstdomain .windows.com
> acl windowsupdate dstdomain .webiqonline.com
> acl windowsupdate dstdomain 207.46.224.158
> acl windowsupdate dstdomain .msn.com
> always_direct allow windowsupdate
> http_access allow windowsupdate

Thanks José, 

following your suggestion, I am glad to report successful 
implementation. Two additional things:
- I added a dedicated error page explaining the danger of IE
  (and linking to http://www.webdevout.net/ie-is-dangerous)
- I added a allow rule for opera:
> acl opera browser Opera
> http_access allow opera

Note, that the allow rule needs to be after blacklist, otherwise Opera 
users could surf all the web. In the same turn I may suggest adding
this default rules to our default configuration:

acl schoolnet src 10.0.2.0/255.255.254.0
acl ltspnet src 192.168.0.0/255.255.255.0
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80,8080
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl CONNECT method CONNECT
acl blacklist url_regex "/etc/squid/blacklist"
acl whitelist url_regex "/etc/squid/whitelist"
acl ltspserver00 src 10.0.2.10-10.0.2.10/255.255.255.255
acl tjener srcdomain tjener intern
acl lockedhosts src "/etc/squid/lockedhosts"
acl openhosts src "7etc/squid/openhosts"
acl no_ie browser MSIE
acl opera browser Opera

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow whitelist
http_access deny blacklist
http_access deny lockedhosts
http_access allow opera
http_access deny no_ie
http_access allow tjener
http_access allow schoolnet
http_access allow ltspnet
http_access allow localhost
http_access deny all

http_reply_access allow all
icp_access allow all
cachemgr_passwd mySecret all
error_directory /usr/share/squid/errors/English
coredump_dir /var/spool/squid
deny_info no_ie.html no_ie

------

some files that are used here should be delivered empty or with sample 
entries. This can help users to find a start.

Kind regards
Ralf

Reply to:

Follow-Ups:
- Re: Some other ideas
  - From: Holger Levsen <holger@layer-acht.org>
- Re: Some other ideas
  - From: Ronny Aasen <ronny@skolelinux.no>

Prev by Date: Re: S: CD Server not only for samba
Next by Date: Re: Some other ideas
Previous by thread: Re: samba groupmaps on sarge
Next by thread: Re: Some other ideas
Index(es):
- Date
- Thread