Re: [squid-users] Blocking mixed URLs

From: Jacob S <stormspotter@dont-contact.us>
Date: Thu, 30 Sep 2004 14:19:15 -0500

On Thu, 30 Sep 2004 15:32:42 -0300
"Christian Ricardo dos Santos" <Christian@telefutura.com.br> wrote:

> Hello,
>
> I REALLY need a help here.
>
> Nowadays we are using ACL system to avoid users access to some
> websites.
>
> Those users can only access a limited list of sites (around 30), any =
> place outside this list is blocked. I don't know how or when, but =
> somebody discovery a way to cheat those ACLs.
>
> Here is what's happeneing:
>
> Everybody can access the site www.telefutura.com.br, but nobody can =
> access the website www.uol.com.br.
>
> Now if any user type one of the three strings bellow the access to
> this = blocked website is grant (anyways you can only read the text of
> it = through, all the other links are broken).
>
> www.uol.com.br/telefutura.com.br
> www.uol.com.br/?telefutura.com.br
> www.uol.com.br/$telefutura.com.br
>
> What can I do to avoid it ?
>
> I already have some ACLs in place to avoid downloads and access to
> some = type of files - ex: .*\.mp3($|\/?) -, but I still don't know
> how to = handle those mixed URLs request.

What type of acl are you using? Since you didn't mention it, and based
on your description, I'm assuming url_regex.

In your list of allowed sites, you need to change it from reading
something like:

www.telefutura.com.br
www.another.com.br

To the following:
^www.telefutura.com.br
^www.another.com.br

The '^' character is a regex symbol that matches the beginning of the
string, in this case your url. Thus, it will block any urls that don't
contain www.telefutura.com.br at the very beginning of the string
(meaning the cheat example you mentioned won't work any more).

HTH,
Jacob
Received on Thu Sep 30 2004 - 13:18:21 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:03 MDT