Home > Open Source, Squid > Using Squid Proxy to Block Multimedia Streaming

Using Squid Proxy to Block Multimedia Streaming

Often multimedia streaming is not good for the office environment. It will dry out the bandwidth of our network, thus slows it down. We can block the multimedia streaming using squid filter. Below is the example of how I did it using squid:

In the /etc/squid/squid.conf :

<—–snipped—–>
# streaming download
acl fails rep_mime_type ^.*mms.*
acl fails rep_mime_type ^.*ms-hdr.*
acl fails rep_mime_type ^.*x-fcs.*
acl fails rep_mime_type ^.*x-ms-asf.*
acl fails2 urlpath_regex dvrplayer mediastream mms://
acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
acl x-type req_mime_type -i ^application/octet-stream$
acl x-type req_mime_type -i application/octet-stream
acl x-type req_mime_type -i ^application/x-mplayer2$
acl x-type req_mime_type -i application/x-mplayer2
acl x-type req_mime_type -i ^application/x-oleobject$
acl x-type req_mime_type -i application/x-oleobject
acl x-type req_mime_type -i application/x-pncmd
acl x-type req_mime_type -i ^video/x-ms-asf$

acl x-type2 rep_mime_type -i ^application/octet-stream$
acl x-type2 rep_mime_type -i application/octet-stream
acl x-type2 rep_mime_type -i ^application/x-mplayer2$
acl x-type2 rep_mime_type -i application/x-mplayer2
acl x-type2 rep_mime_type -i ^application/x-oleobject$
acl x-type2 rep_mime_type -i application/x-oleobject
acl x-type2 rep_mime_type -i application/x-pncmd
acl x-type2 rep_mime_type -i ^video/x-ms-asf$
http_reply_access deny deny_rep_mime_flashvideo
http_reply_access deny deny_rep_mime_shockwave
<—–snipped—–>
<—–snipped—–>
#streaming files
http_access deny fails
http_reply_access deny fails
http_access deny fails2
http_reply_access deny fails2
http_access deny x-type
http_reply_access deny x-type
http_access deny x-type2
http_reply_access deny x-type2
<—–snipped—–>

And of course, you have to force your users to use your squid proxy server.

  1. aaron
    19/09/2007 at 2:43 am

    I followed this and it worked well. I have one problem, one of the people on my satellite needs to access a certin website called aplia.com for College Tests with Adobe Flash. With the config above he cannot access anything on the site. I tried to somehow make an exception for this site but have no idea how it would look. Here is a sample of my file now, if you could please help me to allow his site I would be very grateful. I currently have it doing it by time of day and not showing the error screens i think.

    #Recommended minimum configuration:
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 10.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 # https
    acl SSL_ports port 563 # snews
    acl SSL_ports port 873 # rsync
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    #acl BlockExt url_regex -i \.mp3$ \.asx$ \.wma$ \.wmv$ \.avi$ \.mpeg$ \.mpg$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$ \.exe$
    acl time_acl time S M T W H F A 15:00-19:00
    acl fails rep_mime_type ^.*mms.*
    acl fails rep_mime_type ^.*ms-hdr.*
    acl fails rep_mime_type ^.*x-fcs.*
    acl fails rep_mime_type ^.*x-ms-asf.*
    acl fails2 urlpath_regex dvrplayer mediastream mms://
    acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$

    acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
    acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$

    acl x-type req_mime_type -i ^application/octet-stream$
    acl x-type req_mime_type -i application/octet-stream
    acl x-type req_mime_type -i ^application/x-mplayer2$
    acl x-type req_mime_type -i application/x-mplayer2
    acl x-type req_mime_type -i ^application/x-oleobject$
    acl x-type req_mime_type -i application/x-oleobject
    acl x-type req_mime_type -i application/x-pncmd
    acl x-type req_mime_type -i ^video/x-ms-asf$
    acl x-type2 rep_mime_type -i ^application/octet-stream$
    acl x-type2 rep_mime_type -i application/octet-stream
    acl x-type2 rep_mime_type -i ^application/x-mplayer2$
    acl x-type2 rep_mime_type -i application/x-mplayer2
    acl x-type2 rep_mime_type -i ^application/x-oleobject$
    acl x-type2 rep_mime_type -i application/x-oleobject
    acl x-type2 rep_mime_type -i application/x-pncmd
    acl x-type2 rep_mime_type -i ^video/x-ms-asf$

    http_access deny fails time_acl
    #http_reply_access deny fails
    http_access deny fails2 time_acl
    #http_reply_access deny fails2
    http_access deny x-type time_acl
    #http_reply_access deny x-type
    http_access deny x-type2 time_acl
    #http_reply_access deny x-type2
    #http_access deny BlockExt time_acl

  2. fadli
    19/09/2007 at 5:24 am

    Hi aaron, i think i can solve your problem. You can follow as this:

    1. define an ACL for the domain
    acl testme dstdomain aplia.com

    2. we must declare to allow the ACL, BEFORE we block any *.swf files
    http_access allow fails2 testme
    http_access deny fails2 time_acl

    3. Reload the server
    /etc/init.d/squid reload

    Please notice that we have already define the ACL for *.swf in this line
    acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$

    Cheers!!!

  3. aaron
    19/09/2007 at 10:41 am

    Thank you very much,

    I’ll try this today but wondered if I needed to make exceptions for this also,

    acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
    acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$

  4. aaron
    19/09/2007 at 12:06 pm

    Sorry about so many reply’s,

    I forgot that in the above example I had taken out the following examples. I put them back and it kills his site. I tried to follow your example and apply it to these entries as well but does not seem to work. I notice that these entries say http_access_reply instead of just http_access like the others. I’m sure it’s something simple that i’m missing. Thanks.

    #http_reply_access deny deny_rep_mime_flashvideo time_acl
    #http_reply_access deny deny_rep_mime_shockwave time_acl

  5. fadli
    26/09/2007 at 7:57 am

    http_access is used for filtering based on the ACL matchings.

    http_reply_access is used for filtering based on the ACL matchings but on the client requests reply.

    that is the description of the tag in Squid Configuration. It sounds to me that http_access is used for filtering outgoing traffic and http_access_reply is used for filtering incoming traffic.

  6. fadli
    26/09/2007 at 8:34 am

    It is ok Aaron for the replies, this site is so lonely after all.

    to use the commented tags:
    #http_reply_access deny deny_rep_mime_flashvideo time_acl
    #http_reply_access deny deny_rep_mime_shockwave time_acl

    you must exclude the aplia.com (in testme acl) site first. something like this
    http_reply_access allow deny_rep_mime_flashvideo time_acl testme
    http_reply_access allow deny_rep_mime_shockwave time_acl testme
    http_reply_access deny deny_rep_mime_flashvideo time_acl
    http_reply_access deny deny_rep_mime_shockwave time_acl

  7. fadli
    26/09/2007 at 8:41 am

    but it will be easier, if you just allowed any clients to connect to the site first, before putting any other rules. Just put “testme” to be allowed, not combined with other acls. however this is a not very secure policy, you must make sure that aplia.com is a trusted sites.

    Example:
    …. [acl definitions in here] …..
    http_access allow testme
    http_reply_access allow test me
    …. [then put other rules here] ….

  8. 15/10/2008 at 11:55 am

    well..great..this is what i searching for..
    thanks a lot man..

    squid rocks!!

  9. 09/12/2009 at 10:28 pm

    this config is very good .
    this is working now
    tanks

  10. 06/03/2010 at 2:27 pm

    Thanks for this post, answers a bunch of questions I was having.

  11. Zerg
    01/06/2010 at 4:20 pm

    What would I have to do if i want to allow multimedia-streaming (mms.-protocol) via squid-proxy?
    By other sources I was told that it won’t be possible to stream mms via squid because squid is a http-proxy… !?

    [i don’t know anything about squid at all, but i have to get it going… please help me]

  12. 04/06/2010 at 4:43 pm

    I think this is wonderful I truly appreciate the informations shared in this post I am going to bookmark this!

  13. 08/03/2011 at 5:04 am

    Experience is the name that everyone gives to his mistakes.

  14. Ambicapathy
    19/04/2011 at 9:53 pm

    Hope this worked for me…but by the mean time the windows update is also stopped because of this. Then I removed these lines from the squid.conf restarted the squid and tested the windows update where it worked. Hope I should add something in the acl to allow windows update if I am not wrong.

    Please suggest me with this.

    • 20/04/2011 at 9:31 am

      You can exclude the Windows Update sites from the rules. It definitely will works.

  15. 03/01/2012 at 7:31 pm

    Hi i have followed your all steps. All live strimming videos are blocked now, but i am not able to exclude youtube.com from this restirction. Here is my squid.conf:-

    acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    # streaming download
    acl testme dstdomain http://www.youtube.com
    acl fails rep_mime_type ^.*mms.*
    acl fails rep_mime_type ^.*ms-hdr.*
    acl fails rep_mime_type ^.*x-fcs.*
    acl fails rep_mime_type ^.*x-ms-asf.*
    acl fails2 urlpath_regex dvrplayer mediastream mms://
    acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
    acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
    acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
    acl x-type req_mime_type -i ^application/octet-stream$
    acl x-type req_mime_type -i application/octet-stream
    acl x-type req_mime_type -i ^application/x-mplayer2$
    acl x-type req_mime_type -i application/x-mplayer2
    acl x-type req_mime_type -i ^application/x-oleobject$
    acl x-type req_mime_type -i application/x-oleobject
    acl x-type req_mime_type -i application/x-pncmd
    acl x-type req_mime_type -i ^video/x-ms-asf$

    acl x-type2 rep_mime_type -i ^application/octet-stream$
    acl x-type2 rep_mime_type -i application/octet-stream
    acl x-type2 rep_mime_type -i ^application/x-mplayer2$
    acl x-type2 rep_mime_type -i application/x-mplayer2
    acl x-type2 rep_mime_type -i ^application/x-oleobject$
    acl x-type2 rep_mime_type -i application/x-oleobject
    acl x-type2 rep_mime_type -i application/x-pncmd
    acl x-type2 rep_mime_type -i ^video/x-ms-asf$
    http_reply_access deny deny_rep_mime_flashvideo
    http_reply_access deny deny_rep_mime_shockwave
    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on “localhost” is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow testme
    http_access deny fails
    http_reply_access deny fails
    http_access deny fails2
    http_reply_access deny fails2
    http_access deny x-type
    http_reply_access deny x-type
    http_access deny x-type2
    http_reply_access deny x-type2
    #http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    http_port 3128

    #################################################################

    Now please guide me.

    Thanks in Advance…

    • 05/01/2012 at 8:55 am

      I think the problem is from your declared ACL. You just allowed http://www.youtube.com. However http://www.youtube.com is only the frontend for the whole sites. there is another subdomain that provide the video content. I suggest you to unblock the whole site. use this:

      acl testme dstdomain .youtube.com

      That will all of the subdomain in youtube.com tree. Please take note that you should put [.] infront of youtube.com.

      And one more thing, sometimes the video content is provided using another domain. you must include that domain too into the ACL list to enable video streaming.

  16. 07/01/2012 at 5:14 pm

    I have done as you said. But still its now working…Look at my configuration files:

    acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl allowstream dstdomain .youtube.com
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    # streaming download
    acl fails rep_mime_type ^.*mms.*
    acl fails rep_mime_type ^.*ms-hdr.*
    acl fails rep_mime_type ^.*x-fcs.*
    acl fails rep_mime_type ^.*x-ms-asf.*
    acl fails2 urlpath_regex dvrplayer mediastream mms://
    acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
    acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
    acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
    acl x-type req_mime_type -i ^application/octet-stream$
    acl x-type req_mime_type -i application/octet-stream
    acl x-type req_mime_type -i ^application/x-mplayer2$
    acl x-type req_mime_type -i application/x-mplayer2
    acl x-type req_mime_type -i ^application/x-oleobject$
    acl x-type req_mime_type -i application/x-oleobject
    acl x-type req_mime_type -i application/x-pncmd
    acl x-type req_mime_type -i ^video/x-ms-asf$

    acl x-type2 rep_mime_type -i ^application/octet-stream$
    acl x-type2 rep_mime_type -i application/octet-stream
    acl x-type2 rep_mime_type -i ^application/x-mplayer2$
    acl x-type2 rep_mime_type -i application/x-mplayer2
    acl x-type2 rep_mime_type -i ^application/x-oleobject$
    acl x-type2 rep_mime_type -i application/x-oleobject
    acl x-type2 rep_mime_type -i application/x-pncmd
    acl x-type2 rep_mime_type -i ^video/x-ms-asf$
    http_reply_access deny deny_rep_mime_flashvideo
    http_reply_access deny deny_rep_mime_shockwave

    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on “localhost” is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow allowstream
    #streaming files
    http_access deny fails
    http_reply_access deny fails
    http_access deny fails2
    http_reply_access deny fails2
    http_access deny x-type
    http_reply_access deny x-type
    http_access deny x-type2
    http_reply_access deny x-type2
    http_access deny webdeny
    http_access deny blockkeyword
    http_access allow localhost

    # And finally deny all other access to this proxy
    http_access deny all

    # Squid normally listens to port 3128
    http_port 3128

    • 09/01/2012 at 9:40 am

      Try this:
      http_access allow allowstream
      http_reply_access allow allowstream

      I am not go through you code yet. But you can give this a try.

  17. 09/01/2012 at 3:36 pm

    HI Fadli,
    Its sad, but still its now working..

    Hands are up now…..

  18. 07/02/2012 at 5:46 pm

    Hi Fadli,
    Its working now. I have successfully added exception for youtube.com. Streamings videos are blocked but i am getting problem regarding flash videos. Streaming has blocked flash videos too, which i do not wanted to block because there are many websites of my company, which has flash videos at their logon page. I do not want to block these flash videos, what should i do? I have removed ‘swf’ extension from 1st acl and it looks like:

    acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$

    and comment the following acl’s

    #acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
    #acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-flash$
    #http_reply_access deny deny_rep_mime_flashvideo
    #http_reply_access deny deny_rep_mime_shockwave

    Now flash videos are running but again streamin also has started. Lots of confusion. What do u think, what i am missing in my configuration??

    Thanks,,,

    • 07/02/2012 at 6:00 pm

      i think you should put your company site in allowable ACL first.
      After that, you still can use the blocked ACL as before. No need to comment them out.

      acl my_company_sites dstdomain xxx yyy

      http_access allow my_company_sites
      http_access allow localnet
      http_access allow allowstream

      #streaming files
      http_access deny fails
      http_reply_access deny fails
      http_access deny fails2
      http_reply_access deny fails2
      http_access deny x-type
      http_reply_access deny x-type
      http_access deny x-type2

      • 07/02/2012 at 8:41 pm

        We have developers team which are working on many web projects, so it is not possible us to list them all in an Acl file. Not only they work on our web projects but they need to check other sites as well where flash works. So is there any solution regarding this? Can we unblock only and only flash videos ??

  19. ilvista
    12/02/2012 at 6:04 pm

    i followed the tutorial ,but i can’t get get it working!!!!
    acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
    acl localnet src fc00::/7 # RFC 4193 local private network range
    acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    # streaming download

    acl fails rep_mime_type ^.*mms.*
    acl fails rep_mime_type ^.*ms-hdr.*
    acl fails rep_mime_type ^.*x-fcs.*
    acl fails rep_mime_type ^.*x-ms-asf.*
    acl fails2 urlpath_regex dvrplayer mediastream mms://
    acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
    acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
    acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
    acl x-type req_mime_type -i ^application/octet-stream$
    acl x-type req_mime_type -i application/octet-stream
    acl x-type req_mime_type -i ^application/x-mplayer2$
    acl x-type req_mime_type -i application/x-mplayer2
    acl x-type req_mime_type -i ^application/x-oleobject$
    acl x-type req_mime_type -i application/x-oleobject
    acl x-type req_mime_type -i application/x-pncmd
    acl x-type req_mime_type -i ^video/x-ms-asf$

    acl x-type2 rep_mime_type -i ^application/octet-stream$
    acl x-type2 rep_mime_type -i application/octet-stream
    acl x-type2 rep_mime_type -i ^application/x-mplayer2$
    acl x-type2 rep_mime_type -i application/x-mplayer2
    acl x-type2 rep_mime_type -i ^application/x-oleobject$
    acl x-type2 rep_mime_type -i application/x-oleobject
    acl x-type2 rep_mime_type -i application/x-pncmd
    acl x-type2 rep_mime_type -i ^video/x-ms-asf$
    http_reply_access deny deny_rep_mime_flashvideo
    http_reply_access deny deny_rep_mime_shockwave
    #
    # Recommended minimum Access Permission configuration:
    #
    # Only allow cachemgr access from localhost
    http_access allow manager localhost
    http_access deny manager

    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports

    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports

    # We strongly recommend the following be uncommented to protect innocent
    # web applications running on the proxy server who think the only
    # one who can access services on “localhost” is a local user
    #http_access deny to_localhost

    #
    # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
    #

    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed

    http_access deny fails
    http_reply_access deny fails
    http_access deny fails2
    http_reply_access deny fails2
    http_access deny x-type
    http_reply_access deny x-type
    http_access deny x-type2
    http_reply_access deny x-type2
    #http_access allow localhost

    http_access allow localnet

    # We recommend you to use at least the following line.
    hierarchy_stoplist cgi-bin ?

    # Uncomment and adjust the following to add a disk cache directory.
    #cache_dir ufs /var/spool/squid 100 16 256

    # Leave coredumps in the first cache dir
    coredump_dir /var/spool/squid

    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320

    and I’m getting this warning in the cache.log

    2012/02/12 11:02:28| ACL::checklistMatches WARNING: ‘x-type2’ ACL is used but there is no HTTP reply — not matching.
    2012/02/12 11:02:28| ACL::checklistMatches WARNING: ‘fails’ ACL is used but there is no HTTP reply — not matching.
    2012/02/12 11:02:28| ACL::checklistMatches WARNING: ‘x-type2’ ACL is used but there is no HTTP reply — not matching.
    2012/02/12 11:02:29| ACL::checklistMatches WARNING: ‘fails’ ACL is used but there is no HTTP reply — not matching.

    • 12/02/2012 at 8:09 pm

      I think http_access is checked when Squid receives the request from the client. But there is no HTTP response at that time.
      This is why you get an “ACL is used but there is no HTTP reply” warning.

      Could you check for me what is your squid version. My configuration is already not up to date. It was used on squid version 2.5 when posted. latest version is 3.1.

  20. 12/02/2012 at 8:33 pm

    By the way, ilvista, what is the multimedia content you want to block? i need to know further.

    The error that you gave just indicate, the stream you want to block is matched with the ACL but because of no HTTP_REPLY_ACCESS command triggered, then no blocking is done. Therefore, a WARNING is given.

    HTTP_REPLY is used to block client request to the multimedia sites.
    HTTP_REPLY_ACCESS is used to block multimedia sites response to your client.

    Basically, HTTP_REPLY affect on outgoing packets, HTTP_REPLY_ACCESS affect on incoming packets.

  21. 12/02/2012 at 8:41 pm

    Vinod Pundir :

    We have developers team which are working on many web projects, so it is not possible us to list them all in an Acl file. Not only they work on our web projects but they need to check other sites as well where flash works. So is there any solution regarding this? Can we unblock only and only flash videos ??

    Vinod Pundir :

    We have developers team which are working on many web projects, so it is not possible us to list them all in an Acl file. Not only they work on our web projects but they need to check other sites as well where flash works. So is there any solution regarding this? Can we unblock only and only flash videos ??

    Vinod,
    I Think you can put the list into a file. Include the file into ACL and block em.
    Lets says put your list in this file”/etc/squid/streams.acl”, then block them using these configuration:

    acl denied_streams dstdomain “/etc/squid/streams.acl”
    http_access deny denied_streams
    http_reply_access deny denied_streams

  22. ilvista
    12/02/2012 at 8:44 pm

    thx for the reply ,
    I’m trying to block the video and radio streaming .
    i followed the tutorial ,but it’s not working

    many thanks

    • 12/02/2012 at 8:58 pm

      I think you should know the exact mime_type to block the contents. As you see I am not blocking all of the mime_type, therefore not all multimedia contents is blocked.

      Or you can also add the correct file extension into the urlpath_regex ACL. try to add .mp3 or .aac to block radio content.

      You ll need more research to do that. Try to analyze the website and find the right mime_type or file extension. Then, you ll get the idea on which items to add into your ACL.

  23. ilvista
    12/02/2012 at 11:34 pm

    Thanks
    ,but i used the same scripts to block the video and radio streaming trough squid on a windows server 4 mounts ago ,and it worked just fine (youtube was blocked).
    youtube uses mime_type :x-shockwave-flash witch is sopposed to be blocked.
    now i’m on fedora and i still cant figure out where is the problem.
    thx for the help.

    • 13/02/2012 at 8:35 am

      I may found what is going on. Did someone delete this line?

      http_access deny all

      You suppose to block all content after you allow all allowable ACLs. We put it on the last of the line.

      http_access deny fails
      http_access deny fails2
      http_access deny x-type
      http_access deny x-type2
      http_access deny x-type3
      http_reply_access deny fails
      http_reply_access deny fails2
      http_reply_access deny x-type
      http_reply_access deny x-type2
      http_reply_access deny x-type3

      http_access allow localhost
      http_access allow servers1
      http_access allow offices
      http_access allow wireless
      http_access allow studentlabs
      http_access deny all

  24. ilvista
    14/02/2012 at 3:02 pm

    yes i do have a http_access deny all in my config file ,but still not working i set the
    debug_options ALL,1 33,2 28,9
    and i’m getting the output

    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl all src all’
    2012/02/13 15:39:05| aclMatchIp: ‘192.168.1.149’ found
    2012/02/13 15:39:05| aclMatchAclList: returning 1
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny deny_rep_mime_flashvideo’
    ……………………
    ………….
    no matches!!!
    2012/02/13 15:39:05| aclMatchAclList: checking deny_rep_mime_flashvideo
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl deny_rep_mime_flashvideo rep_mime_type video/x-flv’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘application/x-javascript’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘video/x-flv’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘video/flv’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny deny_rep_mime_shockwave’
    2012/02/13 15:39:05| aclMatchAclList: checking deny_rep_mime_shockwave
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl deny_rep_mime_shockwave rep_mime_type ^application/x-shockwave-flash$’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘application/x-javascript’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-shockwave-flash$’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny fails’
    2012/02/13 15:39:05| aclMatchAclList: checking fails
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl fails rep_mime_type ^.*mms.*’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘application/x-javascript’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^.*mms.*’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^.*ms-hdr.*’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^.*x-fcs.*’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^.*x-ms-asf.*’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny fails2’
    2012/02/13 15:39:05| aclMatchAclList: checking fails2
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl fails2 urlpath_regex dvrplayer mediastream mms://
    2012/02/13 15:39:05| aclMatchRegex: checking ‘/_static/js/button.min.js’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘dvrplayer’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘mediastream’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘mms://’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘\.asf$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘\.afx$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘\.flv$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘\.swf$’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny x-type’
    2012/02/13 15:39:05| aclMatchAclList: checking x-type
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl x-type req_mime_type ^application/octet-stream$’
    2012/02/13 15:39:05| aclMatchRegex: checking ”
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/octet-stream$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/octet-stream’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-mplayer2$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-mplayer2’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-oleobject$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-oleobject’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-pncmd’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^video/x-ms-asf$’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny x-type2’
    2012/02/13 15:39:05| aclMatchAclList: checking x-type2
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl x-type2 rep_mime_type ^application/octet-stream$’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘application/x-javascript’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/octet-stream$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/octet-stream’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-mplayer2$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-mplayer2’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-oleobject$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-oleobject’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-pncmd’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^video/x-ms-asf$’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny deny_rep_mime_flashvideo’
    2012/02/13 15:39:05| aclMatchAclList: checking deny_rep_mime_flashvideo
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl deny_rep_mime_flashvideo rep_mime_type video/x-flv’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘application/x-javascript’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘video/x-flv’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘video/flv’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: NO match found, returning 1
    2012/02/13 15:39:05| aclCheckCallback: answer=1
    2012/02/13 15:39:05| The reply for GET http://flattr.com/_static/js/button.min.js is ALLOWED, because it matched ‘deny_rep_mime_flashvideo’
    2012/02/13 15:39:05| aclCheckFast: list: 003C7EC8
    2012/02/13 15:39:05| aclMatchAclList: checking all
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl all src all’
    2012/02/13 15:39:05| aclMatchIp: ‘192.168.1.149’ found
    2012/02/13 15:39:05| aclMatchAclList: returning 1
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny deny_rep_mime_flashvideo’
    2012/02/13 15:39:05| aclMatchAclList: checking deny_rep_mime_flashvideo
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl deny_rep_mime_flashvideo rep_mime_type video/x-flv’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘text/css’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘video/x-flv’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘video/flv’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny deny_rep_mime_shockwave’
    2012/02/13 15:39:05| aclMatchAclList: checking deny_rep_mime_shockwave
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl deny_rep_mime_shockwave rep_mime_type ^application/x-shockwave-flash$’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘text/css’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-shockwave-flash$’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny fails’
    2012/02/13 15:39:05| aclMatchAclList: checking fails
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl fails rep_mime_type ^.*mms.*’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘text/css’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^.*mms.*’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^.*ms-hdr.*’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^.*x-fcs.*’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^.*x-ms-asf.*’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny fails2’
    2012/02/13 15:39:05| aclMatchAclList: checking fails2
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl fails2 urlpath_regex dvrplayer mediastream mms://
    2012/02/13 15:39:05| aclMatchRegex: checking ‘/_static/styles/button.css’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘dvrplayer’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘mediastream’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘mms://’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘\.asf$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘\.afx$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘\.flv$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘\.swf$’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny x-type’
    2012/02/13 15:39:05| aclMatchAclList: checking x-type
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl x-type req_mime_type ^application/octet-stream$’
    2012/02/13 15:39:05| aclMatchRegex: checking ”
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/octet-stream$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/octet-stream’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-mplayer2$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-mplayer2’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-oleobject$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-oleobject’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-pncmd’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^video/x-ms-asf$’
    2012/02/13 15:39:05| aclMatchAclList: no match, returning 0
    2012/02/13 15:39:05| aclCheck: checking ‘http_reply_access deny x-type2’
    2012/02/13 15:39:05| aclMatchAclList: checking x-type2
    2012/02/13 15:39:05| aclMatchAcl: checking ‘acl x-type2 rep_mime_type ^application/octet-stream$’
    2012/02/13 15:39:05| aclMatchRegex: checking ‘text/css’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/octet-stream$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/octet-stream’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-mplayer2$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-mplayer2’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^application/x-oleobject$’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-oleobject’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘application/x-pncmd’
    2012/02/13 15:39:05| aclMatchRegex: looking for ‘^video/x-ms-asf$’

  25. ilvista
    16/02/2012 at 6:42 pm

    got it fixed !!!!!!
    i using a windows xp host to test my fedora squid proxy server ,and this host has squid on it(version windows), somehow the streming comming for this host was not blocked ,still inspecting !!!!

    thanks for your assistance

  26. Aditya
    29/05/2012 at 10:04 pm

    Hi

    Streamin not stopping it is still playing ( below is details of my squid file
    ===========================
    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
    acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
    acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
    acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
    acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
    acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
    acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
    acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$

    # streaming videos
    acl fails rep_mime_type ^.*mms.*
    acl fails rep_mime_type ^.*ms-hdr.*
    acl fails rep_mime_type ^.*x-fcs.*
    acl fails rep_mime_type ^.*x-ms-asf.*
    acl fails2 urlpath_regex dvrplayer mediastream mms://
    acl fails2 urlpath_regex \.asf$ \.afx$ \.flv$ \.swf$
    acl deny_rep_mime_flashvideo rep_mime_type -i video/flv
    acl deny_rep_mime_shockwave rep_mime_type -i ^application/x-shockwave-flash$
    acl x-type req_mime_type -i ^application/octet-stream$
    acl x-type req_mime_type -i application/octet-stream
    acl x-type req_mime_type -i ^application/x-mplayer2$
    acl x-type req_mime_type -i application/x-mplayer2
    acl x-type req_mime_type -i ^application/x-oleobject$
    acl x-type req_mime_type -i application/x-oleobject
    acl x-type req_mime_type -i application/x-pncmd
    acl x-type req_mime_type -i ^video/x-ms-asf$

    acl x-type2 rep_mime_type -i ^application/octet-stream$
    acl x-type2 rep_mime_type -i application/octet-stream
    acl x-type2 rep_mime_type -i ^application/x-mplayer2$
    acl x-type2 rep_mime_type -i application/x-mplayer2
    acl x-type2 rep_mime_type -i ^application/x-oleobject$
    acl x-type2 rep_mime_type -i application/x-oleobject
    acl x-type2 rep_mime_type -i application/x-pncmd
    acl x-type2 rep_mime_type -i ^video/x-ms-asf$
    http_reply_access deny deny_rep_mime_flashvideo
    http_reply_access deny deny_rep_mime_shockwave

    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    acl our_networks src 192.168.19.0/24
    acl block dstdomain “/etc/squid/block.squid”
    acl bad url_regex “/etc/squid/bad.squid”
    http_access deny block
    http_access deny bad
    http_access allow our_networks
    http_access deny StreamingRequest1 all
    http_access deny StreamingRequest2 all
    http_access deny StreamingRequest3 all
    http_access deny StreamingRequest4 all
    http_reply_access deny StreamingReply1 all
    http_reply_access deny StreamingReply2 all
    http_reply_access deny StreamingReply3 all
    http_reply_access deny StreamingReply4 all
    http_reply_access deny deny_rep_mime_flashvideo
    http_reply_access deny deny_rep_mime_shockwave
    http_access deny fails
    http_reply_access deny fails
    http_access deny fails2
    http_reply_access deny fails2
    http_access deny x-type
    http_reply_access deny x-type
    http_access deny x-type2
    http_reply_access deny x-type2
    http_access deny all
    ================================================

  27. 16/12/2012 at 5:41 pm

    Thanks for the Script…

    I am able to block the flash content but when user is trying through https:// the flash content is not blocking for example if user access http://youtube.com the flash get blocked but when user types https://youtube.com it won’t…

    • 16/12/2012 at 5:54 pm

      first of all, did you enforce all users to go through the transparent proxy? If you haven’t then no wonder some user can bypass your rule.

      I am assuming that the https transparent proxy is not enforce to the user or maybe, https proxy is not define in his browser. Correct me if I am wrong. Thanks.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: