From: hno <> Date: Sat, 10 Feb 2001 02:35:10 +0000 (+0000) Subject: From Robert Collins: X-Git-Tag: SQUID_3_0_PRE1~1607 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c4ab8329e55f495b97ce2a3889aa38699330035d;p=thirdparty%2Fsquid.git From Robert Collins: implements a new acl type rep_mime_type, complementary to req_mime_type, and a new access list http_reply_access which allows acls to be applied to replies. The prime target is content-type filtering. One such example would be to only allow a particular set of users the ability to download tgz. (ie by combining proxy_auth and rep_mime_type). I created a new acl type rather than moving the request vs reply header field decision to the calling routine as that seems to be the approach all over the place. --- diff --git a/src/acl.cc b/src/acl.cc index 473b50cc90..287acc8a1a 100644 --- a/src/acl.cc +++ b/src/acl.cc @@ -1,6 +1,6 @@ /* - * $Id: acl.cc,v 1.246 2001/02/07 18:56:51 hno Exp $ + * $Id: acl.cc,v 1.247 2001/02/09 19:35:10 hno Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -216,6 +216,8 @@ aclStrToType(const char *s) #endif if (!strcmp(s, "req_mime_type")) return ACL_REQ_MIME_TYPE; + if (!strcmp(s, "rep_mime_type")) + return ACL_REP_MIME_TYPE; return ACL_NONE; } @@ -280,6 +282,8 @@ aclTypeToStr(squid_acl type) #endif if (type == ACL_REQ_MIME_TYPE) return "req_mime_type"; + if (type == ACL_REP_MIME_TYPE) + return "rep_mime_type"; return "ERROR"; } @@ -769,6 +773,7 @@ aclParseAclLine(acl ** head) case ACL_SRC_DOM_REGEX: case ACL_DST_DOM_REGEX: case ACL_REQ_MIME_TYPE: + case ACL_REP_MIME_TYPE: aclParseRegexList(&A->data); break; case ACL_SRC_ASN: @@ -1648,6 +1653,15 @@ aclMatchAcl(acl * ae, aclCheck_t * checklist) header = ""; return aclMatchRegex(ae->data, header); /* NOTREACHED */ + case ACL_REP_MIME_TYPE: + if (!checklist->reply) + return 0; + header = httpHeaderGetStr(&checklist->reply->header, + HDR_CONTENT_TYPE); + if (NULL == header) + header = ""; + return aclMatchRegex(ae->data, header); + /* NOTREACHED */ case ACL_NONE: default: debug(28, 0) ("aclMatchAcl: '%s' has bad type %d\n", diff --git a/src/cf.data.pre b/src/cf.data.pre index b477dbdca6..5c562f5110 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.212 2001/01/31 22:16:38 hno Exp $ +# $Id: cf.data.pre,v 1.213 2001/02/09 19:35:10 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1855,10 +1855,20 @@ DOC_START # NOTE: This does NOT match the reply. You cannot use this # to match the returned file type. + acl rep_mime_type mime-type1 ... + # regex match against the mime type of the reply recieved by + # squid. Can be used to detect file download or some + # types HTTP tunelling requests. + # NOTE: This has no effect in http_access rules. It only has + # effect in rules that affect the reply data stream such as + # http_reply_access. + + Examples: acl myexample dst_as 1241 acl password proxy_auth REQUIRED acl fileupload req_mime_type -i ^multipart/form-data$ +acl javascript rep_mime_type -i ^application/x-javascript$ NOCOMMENT_START #Recommended minimum configuration: @@ -1921,6 +1931,34 @@ http_access deny all NOCOMMENT_END DOC_END +NAME: http_reply_access +TYPE: acl_access +LOC: Config.accessList.reply +DEFAULT: none +DEFAULT_IF_NONE: allow all +DOC_START + Allow replies to client requests. This is complementary to http_access. + + http_reply_access allow|deny [!] aclname ... + + NOTE: if there are no access lines present, the default is to allow + all replies + + If none of the access lines cause a match, then the opposite of the + last line will apply. Thus it is good practice to end the rules + with an "allow all" or "deny all" entry. + +NOCOMMENT_START +#Recommended minimum configuration: +# +# Insert your own rules here. +# +# +# and finally allow by default +http_reply_access allow all +NOCOMMENT_END +DOC_END + NAME: icp_access TYPE: acl_access diff --git a/src/client_side.cc b/src/client_side.cc index db7cf1f742..bf75c22dc1 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side.cc,v 1.524 2001/02/07 18:56:52 hno Exp $ + * $Id: client_side.cc,v 1.525 2001/02/09 19:35:11 hno Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -1761,12 +1761,39 @@ clientSendMoreData(void *data, char *buf, ssize_t size) httpReplyDestroy(rep); return; } else if (rep) { - body_size = size - rep->hdr_sz; + aclCheck_t *ch; + int rv; + body_size = size - rep->hdr_sz; assert(body_size >= 0); body_buf = buf + rep->hdr_sz; http->range_iter.prefix_size = rep->hdr_sz; debug(33, 3) ("clientSendMoreData: Appending %d bytes after %d bytes of headers\n", body_size, rep->hdr_sz); + ch = aclChecklistCreate(Config.accessList.reply, http->request, NULL); + ch->reply = rep; + rv = aclCheckFast(Config.accessList.reply, ch); + debug(33, 2) ("The reply for %s %s is %s, because it matched '%s'\n", + RequestMethodStr[http->request->method], http->uri, + rv ? "ALLOWED" : "DENIED", + AclMatchedName ? AclMatchedName : "NO ACL's"); + if (!rv && rep->sline.status!=HTTP_FORBIDDEN) { + /* the if above is slightly broken( 403 responses from upstream + * will always be permitted, but AFAIK there is no way + * to tell if this is a squid generated error page, or one from + * upstream at this point. */ + ErrorState *err; + err = errorCon(ERR_ACCESS_DENIED, HTTP_FORBIDDEN); + err->request = requestLink(http->request); + storeUnregister(http->sc, http->entry, http); + http->sc = NULL; + storeUnlockObject(http->entry); + http->entry = clientCreateStoreEntry(http, http->request->method, + null_request_flags); + errorAppendEntry(http->entry, err); + httpReplyDestroy(rep); + return; + } + aclChecklistFree(ch); } else if (size < CLIENT_SOCK_SZ && entry->store_status == STORE_PENDING) { /* wait for more to arrive */ storeClientCopy(http->sc, entry, diff --git a/src/enums.h b/src/enums.h index 71c424cdec..bfcc6591a4 100644 --- a/src/enums.h +++ b/src/enums.h @@ -1,6 +1,6 @@ /* - * $Id: enums.h,v 1.184 2001/01/31 22:16:38 hno Exp $ + * $Id: enums.h,v 1.185 2001/02/09 19:35:11 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -122,6 +122,7 @@ typedef enum { ACL_NETDB_SRC_RTT, ACL_MAXCONN, ACL_REQ_MIME_TYPE, + ACL_REP_MIME_TYPE, ACL_ENUM_MAX } squid_acl; diff --git a/src/structs.h b/src/structs.h index 670b9b9372..6b6f46d272 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.380 2001/01/31 22:16:38 hno Exp $ + * $Id: structs.h,v 1.381 2001/02/09 19:35:11 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -247,6 +247,8 @@ struct _aclCheck_t { struct in_addr my_addr; unsigned short my_port; request_t *request; + /* for acls that look at reply data */ + HttpReply * reply; ConnStateData *conn; /* hack for ident and NTLM */ char rfc931[USER_IDENT_SZ]; auth_user_request_t *auth_user_request; @@ -552,6 +554,7 @@ struct _SquidConfig { acl_access *identLookup; #endif acl_access *redirector; + acl_access *reply; } accessList; acl_deny_info_list *denyInfoList; struct _authConfig {