[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Some other ideas

Am Freitag 19 Oktober 2007 schrieb José L. Redrejo Rodríguez:
> acl no_ie browser MSIE
> http_access deny no_ie
> #allowing windowsupdate with ie:
> acl windowsupdate dstdomain .windowsupdate.com
> acl windowsupdate dstdomain .microsoft.com
> acl windowsupdate dstdomain .public-trust.com
> acl windowsupdate dstdomain .windows.com
> acl windowsupdate dstdomain .webiqonline.com
> acl windowsupdate dstdomain
> acl windowsupdate dstdomain .msn.com
> always_direct allow windowsupdate
> http_access allow windowsupdate

Thanks José, 

following your suggestion, I am glad to report successful 
implementation. Two additional things:
- I added a dedicated error page explaining the danger of IE
  (and linking to http://www.webdevout.net/ie-is-dangerous)
- I added a allow rule for opera:
> acl opera browser Opera
> http_access allow opera

Note, that the allow rule needs to be after blacklist, otherwise Opera 
users could surf all the web. In the same turn I may suggest adding
this default rules to our default configuration:

acl schoolnet src
acl ltspnet src
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
acl SSL_ports port 873
acl Safe_ports port 80,8080
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 631
acl Safe_ports port 873
acl Safe_ports port 901
acl purge method PURGE
acl blacklist url_regex "/etc/squid/blacklist"
acl whitelist url_regex "/etc/squid/whitelist"
acl ltspserver00 src
acl tjener srcdomain tjener intern
acl lockedhosts src "/etc/squid/lockedhosts"
acl openhosts src "7etc/squid/openhosts"
acl no_ie browser MSIE
acl opera browser Opera

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow whitelist
http_access deny blacklist
http_access deny lockedhosts
http_access allow opera
http_access deny no_ie
http_access allow tjener
http_access allow schoolnet
http_access allow ltspnet
http_access allow localhost
http_access deny all

http_reply_access allow all
icp_access allow all
cachemgr_passwd mySecret all
error_directory /usr/share/squid/errors/English
coredump_dir /var/spool/squid
deny_info no_ie.html no_ie


some files that are used here should be delivered empty or with sample 
entries. This can help users to find a start.

Kind regards

Reply to: