Remove blocking for subdomains too

The Mime filtering feature allows you to filter content based on its Mime type

Remove blocking for subdomains too

Postby MD5Hash » Tue Feb 24, 2009 7:58 pm

For example, if I want to make sure that nytimes.com and ALL of its subdomains are able to use flash videos, I put in the block rule for (nytimes\.com) into the system, but that doesn't seem to be working now for video.nytimes\.com as well. Do I have create separate profiles for every one, or can I say something like

(*\.nytimes\.com)

will this work? (i'm not at the office now so I can't try it myself, but I was wondering if anyone had an answer for me).

Thanks!
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Re: Remove blocking for subdomains too

Postby satish7619 » Tue Feb 24, 2009 8:12 pm

Hello,

Do you want to block nytimes.com But allow subdomain video.on.nytimes.com for your users ?
satish7619
 
Posts: 1146
Joined: Thu Apr 15, 2004 3:55 pm
Location: India

Re: Remove blocking for subdomains too

Postby MD5Hash » Tue Feb 24, 2009 9:22 pm

Ah, my apologies let me clarify - I want to make sure that everything for a site will work, including the top level domain for it. video.nytimes.com tech.nytimes.com - etc etc.

although, since you mention it, it might be nice to know as well if you can allow MIMEtype access for a subdomain, BUT block it for the parent domain. :)
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Postby sachin » Wed Feb 25, 2009 10:44 am

While creating a profile, when you specify the top level domain, the profile will always apply to sub domains.

For example, when you say -

Host: (nytimes\.com|yahoo\.com)
Added profile: Allowed-Site

then the profile 'Allowed-Site' is applied to nytimes.com, yahoo.com and all their sub domains like video.nytimes.com, tech.nytimes.com, mail.yahoo.com, etc.

You can again put in another rule to remove the profile 'Allowed-Site' from the parent domain, like this -

Host: ^(nytimes\.com|www\.nytimes\.com|yahoo\.com|www\.yahoo\.com)
Removed profile: Allowed-Site

It is always recommended to create a profile in the Profiles section, and then use that profile in any filtering section, like Mime filter, and take action on it.

If you would like to test, or play around, with regular expressions, visit http://www.myregexp.com/
sachin
 

Re: Remove blocking for subdomains too

Postby MD5Hash » Thu Mar 26, 2009 2:37 pm

The subdomain issue has been corrected now, but there's a much more detailed scenario that I have a question about.

Basically, I have 2 computers in our admin office that I want to remove all flash blocking from. But I want this removal to be transparent to the users, I don't want them to have to log in whenever they open a browser window.

I have already signed them the static addresses of 192.168.1.122 and .123. Now, where and how in the safesquid console can I somehow make it so that those addresses receive full access, while everything else is blocked? I apologize if I'm missing something simple here, but I just cannot figure this out!
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Postby sachin » Thu Mar 26, 2009 3:31 pm

The solution is very simple. Create IP based rules for these users in Access Restrictions. If you would like these users to bypass all, or specific filters, select the filters in the 'Bypass' sub-section of the rule (except maybe 'Antivirus')

IP Address: 192.168.1.122,192.168.1.123
Access: proxy,http,transparent,connect,bypass,urlcommand
Bypass: url-filtering,header-filtering,mime-filtering,redirect,cookies-filtering,rewrite,external,forward,ke
ywords-filtering,dnsbl,limits,icap,urlblacklist
Added profiles: Full-Access

Just remember that if the other rules in Access restrictions are not IP based, then keep this rule on top of all other rules.
Since this rule does not have any entry for User name & Password, and will be the first rule to match these users (IP Address), they will be allowed access without authentication. And since you have bypassed them from all filters, they will not be blocked due to any rules.
sachin
 

Re: Remove blocking for subdomains too

Postby MD5Hash » Sun Mar 29, 2009 3:37 pm

I tested it out and it doesn't seem to be working. I restarted safesquid, still no change. What is this "full-access" profile that you mention at the bottom of things to type in...I don't already have a profile named "full-access" do I need to make one of those first?
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Postby sachin » Sun Mar 29, 2009 10:00 pm

Can you please attach your config.xml file?

By specifying an entry in the 'Added Profiles' field in Access Restrictions, you create a new profile.
Profile that are added to users here, can then be used in other sections, to specifically allow / deny permission to access content to the users, based on their profile.
This has been explained in detail with example in the article -Profiled Internet Access.
sachin
 

Re: Remove blocking for subdomains too

Postby MD5Hash » Mon Mar 30, 2009 7:58 pm

okay, here is the config.xml file. i set the two addresses to be "let through" as 192.168.1.13 (my own) and my colleague Khalil's. I tried to follow all the instructions, but for some reason it's not working.

I understand now what you meant about it "automatically creating" a new profile for future use, and I think I have one that was already named "full-access" but I'm not sure that i have it sorted in the right way.
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Postby sachin » Mon Mar 30, 2009 8:11 pm

Ah! You have your Default Policy in Access Restriction set to 'Allow'.
This will completely bypass the Allow Sub-Section, and give direct access to users.
Change it to 'Deny' and the rules in the Allow subsection will be applied.
The rules that you have specified are correct.
sachin
 

Re: Remove blocking for subdomains too

Postby MD5Hash » Tue Mar 31, 2009 6:08 pm

okay, here is the config.xml file. i set the two addresses to be "let through" as 192.168.1.13 (my own) and my colleague Khalil's. I tried to follow all the instructions, but for some reason it's not working.

I understand now what you meant about it "automatically creating" a new profile for future use, and I think I have one that was already named "full-access" but I'm not sure that i have it sorted in the right way.
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Postby sachin » Tue Mar 31, 2009 6:13 pm

I already answered that yesterday :roll:
sachin
 

Re: Remove blocking for subdomains too

Postby MD5Hash » Tue Mar 31, 2009 6:32 pm

Whoops, I hit the refresh button on the page and for some reason it resubmit my previous entry! How odd. Yeah, I had tried changing that before but then it locked me out of the admin panel! I realized then it was because I had the "admin access" only given to 192.168.1.66 - the server's address, but it didn't like that for some reason, so I just gave it 127.0.0.1 and now everything seems to be working fine.

Thanks so much!
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm

Re: Remove blocking for subdomains too

Postby MD5Hash » Tue Mar 31, 2009 6:34 pm

Whoops, I hit the refresh button on the page and for some reason it resubmit my previous entry! How odd. Yeah, I had tried changing that before but then it locked me out of the admin panel! I realized then it was because I had the "admin access" only given to 192.168.1.66 - the server's address, but it didn't like that for some reason, so I just gave it 127.0.0.1 and now everything seems to be working fine.

Thanks so much!
MD5Hash
 
Posts: 42
Joined: Tue Dec 16, 2008 8:55 pm


Return to Mime Filtering

Who is online

Users browsing this forum: No registered users and 1 guest

cron