Re: Some other ideas

To: RalfGesellensetter <rgx@gmx.de>
Cc: debian-edu@lists.debian.org
Subject: Re: Some other ideas
From: Ronny Aasen <ronny@skolelinux.no>
Date: Fri, 16 Nov 2007 09:42:07 +0100
Message-id: <[🔎] 473D57DF.2070907@skolelinux.no>
In-reply-to: <[🔎] 200711151457.25413.rgx@gmx.de>
References: <1192808709.7537.45.camel@localhost> <[🔎] 200711151457.25413.rgx@gmx.de>

RalfGesellensetter wrote:
> Am Freitag 19 Oktober 2007 schrieb José L. Redrejo Rodríguez:
>   
>> acl no_ie browser MSIE
>> http_access deny no_ie
>> #allowing windowsupdate with ie:
>> acl windowsupdate dstdomain .windowsupdate.com
>> acl windowsupdate dstdomain .microsoft.com
>> acl windowsupdate dstdomain .public-trust.com
>> acl windowsupdate dstdomain .windows.com
>> acl windowsupdate dstdomain .webiqonline.com
>> acl windowsupdate dstdomain 207.46.224.158
>> acl windowsupdate dstdomain .msn.com
>> always_direct allow windowsupdate
>> http_access allow windowsupdate
>>     
>
> Thanks José, 
>
> following your suggestion, I am glad to report successful 
> implementation. Two additional things:
> - I added a dedicated error page explaining the danger of IE
>   (and linking to http://www.webdevout.net/ie-is-dangerous)
> - I added a allow rule for opera:
>   
>> acl opera browser Opera
>> http_access allow opera
>>     
>
> Note, that the allow rule needs to be after blacklist, otherwise Opera 
> users could surf all the web. In the same turn I may suggest adding
> this default rules to our default configuration:
>
> acl schoolnet src 10.0.2.0/255.255.254.0
> acl ltspnet src 192.168.0.0/255.255.255.0
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl SSL_ports port 873
> acl Safe_ports port 80,8080
> acl Safe_ports port 21
> acl Safe_ports port 443 563
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl Safe_ports port 631
> acl Safe_ports port 873
> acl Safe_ports port 901
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl blacklist url_regex "/etc/squid/blacklist"
> acl whitelist url_regex "/etc/squid/whitelist"
> acl ltspserver00 src 10.0.2.10-10.0.2.10/255.255.255.255
> acl tjener srcdomain tjener intern
> acl lockedhosts src "/etc/squid/lockedhosts"
> acl openhosts src "7etc/squid/openhosts"
> acl no_ie browser MSIE
> acl opera browser Opera
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow whitelist
> http_access deny blacklist
> http_access deny lockedhosts
> http_access allow opera
> http_access deny no_ie
> http_access allow tjener
> http_access allow schoolnet
> http_access allow ltspnet
> http_access allow localhost
> http_access deny all
>
> http_reply_access allow all
> icp_access allow all
> cachemgr_passwd mySecret all
> error_directory /usr/share/squid/errors/English
> coredump_dir /var/spool/squid
> deny_info no_ie.html no_ie
>
> ------
>
> some files that are used here should be delivered empty or with sample 
> entries. This can help users to find a start.
>
> Kind regards
> Ralf
>
>   
what method do you use to enforce IE using the proxy ? proxy autoconfig
? transparent proxy ? manually/automated configuring the clients ?

Ronny

Reply to:

Follow-Ups:
- Re: Some other ideas
  - From: José "L. Redrejo" Rodríguez <jredrejo@edu.juntaextremadura.net>
- Re: Some other ideas
  - From: RalfGesellensetter <rgx@gmx.de>

References:
- Re: Some other ideas
  - From: RalfGesellensetter <rgx@gmx.de>

Prev by Date: Re: samba groupmaps on sarge
Next by Date: [Bug 484] Unable to install on Adaptec 2100S raidcard when in Fujitsu Siemens TX150.
Previous by thread: Re: Some other ideas
Next by thread: Re: Some other ideas
Index(es):
- Date
- Thread