whitegourd
August 21st, 2008, 06:53 PM
For a few days now, I though I may have had squid working the way I wanted it to, but just recently, a user brought to my attention that he wasn't able to access "gmail.com", due to an attempt to download a blocked file extension from the denied filetype download list (acl). He would get past the login screen, but quickly gets hit with the file blocked message.
Turns out that when logging in from FF3 or IE6, we could log in just fine, but IE7 won't allow it because in the long URL there is a ".com" at the end which is really referencing the log in account, not an actual executable file extension. Why is it that FF3 and IE6 doesn't interpret the url as a file extension download ...? I don't know. But IE7 is seeing it as such.
denied_filetypes.acl
\.(ade)$
\.(adp)$
\.(app)$
\.(bas)$
\.(bat)$
\.(chm)$
\.(class)$
\.(cmd)$
\.(com)$
\.(cpl)$
\.(crt)$
\.(exe)$
\.(fxp)$
\.(hlp)$
\.(hta)$
\.(ins)$
\.(isp)$
\.(jse)$
\.(lnk)$
\.(mda)$
\.(mdb)$
\.(mde)$
\.(mdt)$
\.(mdw)$
\.(mdz)$
\.(msc)$
\.(mp3)$
\.(msi)$
\.(msp)$
\.(mst)$
\.(ops)$
\.(pcd)$
\.(pif)$
\.(prf)$
\.(prg)$
\.(reg)$
\.(scf)$
\.(scr)$
\.(sct)$
\.(shb)$
\.(shs)$
\.(url)$
\.(vb)$
\.(vbe)$
\.(vbs)$
\.(wsc)$
\.(wsf)$
\.(wsh)$
\.(zip)$
I had to remove the "com" from the acl list for now until I can figure out how to actually block the ".com" executables from getting downloaded.
Is there another string I could use to allow the access of gmail and yet fend off users that attempt to download .com files at the same time? I'm out of ideas at the moment.
Turns out that when logging in from FF3 or IE6, we could log in just fine, but IE7 won't allow it because in the long URL there is a ".com" at the end which is really referencing the log in account, not an actual executable file extension. Why is it that FF3 and IE6 doesn't interpret the url as a file extension download ...? I don't know. But IE7 is seeing it as such.
denied_filetypes.acl
\.(ade)$
\.(adp)$
\.(app)$
\.(bas)$
\.(bat)$
\.(chm)$
\.(class)$
\.(cmd)$
\.(com)$
\.(cpl)$
\.(crt)$
\.(exe)$
\.(fxp)$
\.(hlp)$
\.(hta)$
\.(ins)$
\.(isp)$
\.(jse)$
\.(lnk)$
\.(mda)$
\.(mdb)$
\.(mde)$
\.(mdt)$
\.(mdw)$
\.(mdz)$
\.(msc)$
\.(mp3)$
\.(msi)$
\.(msp)$
\.(mst)$
\.(ops)$
\.(pcd)$
\.(pif)$
\.(prf)$
\.(prg)$
\.(reg)$
\.(scf)$
\.(scr)$
\.(sct)$
\.(shb)$
\.(shs)$
\.(url)$
\.(vb)$
\.(vbe)$
\.(vbs)$
\.(wsc)$
\.(wsf)$
\.(wsh)$
\.(zip)$
I had to remove the "com" from the acl list for now until I can figure out how to actually block the ".com" executables from getting downloaded.
Is there another string I could use to allow the access of gmail and yet fend off users that attempt to download .com files at the same time? I'm out of ideas at the moment.