/*
- * $Id: acl.cc,v 1.246 2001/02/07 18:56:51 hno Exp $
+ * $Id: acl.cc,v 1.247 2001/02/09 19:35:10 hno Exp $
*
* DEBUG: section 28 Access Control
* AUTHOR: Duane Wessels
#endif
if (!strcmp(s, "req_mime_type"))
return ACL_REQ_MIME_TYPE;
+ if (!strcmp(s, "rep_mime_type"))
+ return ACL_REP_MIME_TYPE;
return ACL_NONE;
}
#endif
if (type == ACL_REQ_MIME_TYPE)
return "req_mime_type";
+ if (type == ACL_REP_MIME_TYPE)
+ return "rep_mime_type";
return "ERROR";
}
case ACL_SRC_DOM_REGEX:
case ACL_DST_DOM_REGEX:
case ACL_REQ_MIME_TYPE:
+ case ACL_REP_MIME_TYPE:
aclParseRegexList(&A->data);
break;
case ACL_SRC_ASN:
header = "";
return aclMatchRegex(ae->data, header);
/* NOTREACHED */
+ case ACL_REP_MIME_TYPE:
+ if (!checklist->reply)
+ return 0;
+ header = httpHeaderGetStr(&checklist->reply->header,
+ HDR_CONTENT_TYPE);
+ if (NULL == header)
+ header = "";
+ return aclMatchRegex(ae->data, header);
+ /* NOTREACHED */
case ACL_NONE:
default:
debug(28, 0) ("aclMatchAcl: '%s' has bad type %d\n",
#
-# $Id: cf.data.pre,v 1.212 2001/01/31 22:16:38 hno Exp $
+# $Id: cf.data.pre,v 1.213 2001/02/09 19:35:10 hno Exp $
#
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
# NOTE: This does NOT match the reply. You cannot use this
# to match the returned file type.
+ acl rep_mime_type mime-type1 ...
+ # regex match against the mime type of the reply recieved by
+ # squid. Can be used to detect file download or some
+ # types HTTP tunelling requests.
+ # NOTE: This has no effect in http_access rules. It only has
+ # effect in rules that affect the reply data stream such as
+ # http_reply_access.
+
+
Examples:
acl myexample dst_as 1241
acl password proxy_auth REQUIRED
acl fileupload req_mime_type -i ^multipart/form-data$
+acl javascript rep_mime_type -i ^application/x-javascript$
NOCOMMENT_START
#Recommended minimum configuration:
NOCOMMENT_END
DOC_END
+NAME: http_reply_access
+TYPE: acl_access
+LOC: Config.accessList.reply
+DEFAULT: none
+DEFAULT_IF_NONE: allow all
+DOC_START
+ Allow replies to client requests. This is complementary to http_access.
+
+ http_reply_access allow|deny [!] aclname ...
+
+ NOTE: if there are no access lines present, the default is to allow
+ all replies
+
+ If none of the access lines cause a match, then the opposite of the
+ last line will apply. Thus it is good practice to end the rules
+ with an "allow all" or "deny all" entry.
+
+NOCOMMENT_START
+#Recommended minimum configuration:
+#
+# Insert your own rules here.
+#
+#
+# and finally allow by default
+http_reply_access allow all
+NOCOMMENT_END
+DOC_END
+
NAME: icp_access
TYPE: acl_access
/*
- * $Id: client_side.cc,v 1.524 2001/02/07 18:56:52 hno Exp $
+ * $Id: client_side.cc,v 1.525 2001/02/09 19:35:11 hno Exp $
*
* DEBUG: section 33 Client-side Routines
* AUTHOR: Duane Wessels
httpReplyDestroy(rep);
return;
} else if (rep) {
- body_size = size - rep->hdr_sz;
+ aclCheck_t *ch;
+ int rv;
+ body_size = size - rep->hdr_sz;
assert(body_size >= 0);
body_buf = buf + rep->hdr_sz;
http->range_iter.prefix_size = rep->hdr_sz;
debug(33, 3) ("clientSendMoreData: Appending %d bytes after %d bytes of headers\n",
body_size, rep->hdr_sz);
+ ch = aclChecklistCreate(Config.accessList.reply, http->request, NULL);
+ ch->reply = rep;
+ rv = aclCheckFast(Config.accessList.reply, ch);
+ debug(33, 2) ("The reply for %s %s is %s, because it matched '%s'\n",
+ RequestMethodStr[http->request->method], http->uri,
+ rv ? "ALLOWED" : "DENIED",
+ AclMatchedName ? AclMatchedName : "NO ACL's");
+ if (!rv && rep->sline.status!=HTTP_FORBIDDEN) {
+ /* the if above is slightly broken( 403 responses from upstream
+ * will always be permitted, but AFAIK there is no way
+ * to tell if this is a squid generated error page, or one from
+ * upstream at this point. */
+ ErrorState *err;
+ err = errorCon(ERR_ACCESS_DENIED, HTTP_FORBIDDEN);
+ err->request = requestLink(http->request);
+ storeUnregister(http->sc, http->entry, http);
+ http->sc = NULL;
+ storeUnlockObject(http->entry);
+ http->entry = clientCreateStoreEntry(http, http->request->method,
+ null_request_flags);
+ errorAppendEntry(http->entry, err);
+ httpReplyDestroy(rep);
+ return;
+ }
+ aclChecklistFree(ch);
} else if (size < CLIENT_SOCK_SZ && entry->store_status == STORE_PENDING) {
/* wait for more to arrive */
storeClientCopy(http->sc, entry,
/*
- * $Id: enums.h,v 1.184 2001/01/31 22:16:38 hno Exp $
+ * $Id: enums.h,v 1.185 2001/02/09 19:35:11 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
ACL_NETDB_SRC_RTT,
ACL_MAXCONN,
ACL_REQ_MIME_TYPE,
+ ACL_REP_MIME_TYPE,
ACL_ENUM_MAX
} squid_acl;
/*
- * $Id: structs.h,v 1.380 2001/01/31 22:16:38 hno Exp $
+ * $Id: structs.h,v 1.381 2001/02/09 19:35:11 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
struct in_addr my_addr;
unsigned short my_port;
request_t *request;
+ /* for acls that look at reply data */
+ HttpReply * reply;
ConnStateData *conn; /* hack for ident and NTLM */
char rfc931[USER_IDENT_SZ];
auth_user_request_t *auth_user_request;
acl_access *identLookup;
#endif
acl_access *redirector;
+ acl_access *reply;
} accessList;
acl_deny_info_list *denyInfoList;
struct _authConfig {