Squid ACL (block all but exclude one or more sites)

[Sylhouette]

Hello all.

I like to block all streaming data from the internet. So I came up with the following:

acl manager proto cache_object
acl webserver src 127.0.0.1/255.255.255.255
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src "/usr/local/etc/squid/localnet"

# ACL for Radio / Video Stream -----------------------------------------------
acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$

acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*

acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$

acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream

#acl x-type req_mime_type -i ^application/x-mplayer2$
#acl x-type req_mime_type -i application/x-mplayer2
#acl x-type2 rep_mime_type -i ^application/x-mplayer2$
#acl x-type2 rep_mime_type -i application/x-mplayer2

#acl x-type req_mime_type -i ^application/x-oleobject$
#acl x-type req_mime_type -i application/x-oleobject
#acl x-type2 rep_mime_type -i ^application/x-oleobject$
#acl x-type2 rep_mime_type -i application/x-oleobject

#acl x-type req_mime_type -i application/x-pncmd
#acl x-type req_mime_type -i ^video/x-ms-asf$
#acl x-type2 rep_mime_type -i application/x-pncmd
#acl x-type2 rep_mime_type -i ^video/x-ms-asf$

acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$


# Rules to block Radio / Video Stream ----------------------------------------
http_access deny StreamingRequest1 all
http_access deny StreamingRequest2 all
http_access deny StreamingRequest3 all
http_access deny StreamingRequest4 all

http_reply_access deny StreamingReply1 all
http_reply_access deny StreamingReply2 all
http_reply_access deny StreamingReply3 all
http_reply_access deny StreamingReply4 all

http_access deny fails
http_reply_access deny fails

http_access deny fails2
http_reply_access deny fails2

http_access deny x-type
http_reply_access deny x-type
http_access deny x-type2
http_reply_access deny x-type2

#http_reply_access deny deny_rep_mime_flashvideo
#http_reply_access deny deny_rep_mime_shockwave

# Rules to block Radio / Video Stream ----------------------------------------

This works really well, all streaming media is blocked. But now I came across a program that connects through the proxy and you'll guess it, it uses streaming. In the logs I found it to be application/octet-stream. So how can I add an ACL to allow streaming to that one site and still block the rest?

Thanks for your time reading on this.

regards,
Johan

 

[DutchDaemon]

Make a 'dst' ACL, with the IP address of that site as the address, and allow traffic to it before the other ACLs kick in, basically.

Something like:

acl to_goodsite dst 123.123.123.123/32

http_access allow to_goodsite

[rest]

 

[Sylhouette]

Thanks that was it.

I did the following:

acl to_goodsite dst "/usr/local/etc/squid/to_goodsite"
http_access allow to_goodsite

This way I just edit the file /usr/local/etc/squid/to_goodsite and restart squid.

Thanks for the pointer.

regards (Groetjes)
Johan

 

[DutchDaemon]

Restarting may be a bit harsh, use [cmd=]squid -k reconfigure[/cmd]