[Samba] regular expression for veto files directive?
Robert Penz
robert.penz at outertech.com
Tue Jul 26 17:22:33 GMT 2005
On Tuesday 26 July 2005 17:44, Jeremy Allison wrote:
> No, veto files doesn't allow regexps. I decided evaluating the
> regexp would be too expensive on every file lookup - we currently
> only allow wildcards. If you can show me a patch with regexp support
> we can test how expensive it is before accepting it.
ok I understand that, but I can't provide an patch ;-(. But then maybe an
other solution is even better. For squid it is possible to define a program
which squid starts a few times at startup and than pastes every requesting
url before processing to one of the instances. This way it would be no
problem for special purposes to use a filter without slowing down the normal
operation.
if together with the filename
- fullpath
- username
- group
- share
it would be really be a mighty feature.
ps: squid has also regex support, but somethink like a redirector is even more
powerfull. even if on samba it would only deny up-/down-loads
here the squid stuff:
/usr/share/doc/squid/FAQ-15.html
15. Redirectors
15.1 What is a redirector?
Squid has the ability to rewrite requested URLs. Implemented as an external
process (similar to a dnsserver), Squid can be
configured to pass every incoming URL through a redirector process that
returns either a new URL, or a blank line to
indicate no change.
The redirector program is NOT a standard part of the Squid package.
However, some examples are provided below, and in the
"contrib/" directory of the source distribution. Since everyone has
different needs, it is up to the individual
administrators to write their own implementation.
15.2 Why use a redirector?
A redirector allows the administrator to control the locations to which his
users goto. Using this in conjunction with
interception proxies allows simple but effective porn control.
15.3 How does it work?
The redirector program must read URLs (one per line) on standard input, and
write rewritten URLs or blank lines on standard
output. Note that the redirector program can not use buffered I/O. Squid
writes additional information after the URL which a
redirector can use to make a decision. The input line consists of four
fields:
URL ip-address/fqdn ident method
Do you have any examples?
A simple very fast redirector called SQUIRM is a good place to start, it
uses the regex lib to allow pattern matching.
Also see jesred.
The following Perl script may also be used as a template for writing your own
redirector:
SQUID Frequently Asked Questions: Redirectors (p2 of 3)
#!/usr/local/bin/perl
$|=1;
while (<>) {
s at http://fromhost.com at http://tohost.org@;
print;
}
15.4 Can I use the redirector to return HTTP redirect messages?
Normally, the redirector feature is used to rewrite requested URLs. Squid
then transparently requests the new URL. However,
in some situations, it may be desirable to return an HTTP "301" or "302"
redirect message to the client. This is now
possible with Squid version 1.1.19.
Simply modify your redirector program to prepend either "301:" or "302:"
before the new URL. For example, the following
script might be used to direct external clients to a secure Web server for
internal documents:
#!/usr/local/bin/perl
$|=1;
while (<>) {
@X = split;
$url = $X[0];
if ($url =~ /^http:\/\/internal\.foo\.com/) {
$url =~ s/^http/https/;
$url =~ s/internal/secure/;
print "302:$url\n";
} else {
print "$url\n";
}
}
Please see sections 10.3.2 and 10.3.3 of RFC 2068 for an explanation of the
301 and 302 HTTP reply codes.
15.5 FATAL: All redirectors have exited!
A redirector process must never exit (stop running). If you see the ``All
redirectories have exited'' message, it probably
means your redirector program has a bug. Maybe it runs out of memory or has
memory access errors. You may want to test your redirector program outside
of squid with a big input list, taken from your access.log perhaps. Also,
check for coredump
files from the redirector program.
15.6 Redirector interface is broken re IDENT values
I added a redirctor consisting of
#! /bin/sh
/usr/bin/tee /tmp/squid.log
and many of the redirector requests don't have a username in the ident
field.
Squid does not delay a request to wait for an ident lookup, unless you use
the ident ACLs. Thus, it is very likely that the
ident was not available at the time of calling the redirector, but became
available by the time the request is complete and
logged to access.log.
If you want to block requests waiting for ident lookup, try something like
this:
acl foo ident REQUIRED
http_access allow foo
/etc/squid.conf:
# TAG: redirect_program
# Specify the location of the executable for the URL redirector.
# Since they can perform almost any function there isn't one included.
# See the FAQ (section 15) for information on how to write one.
# By default, a redirector is not used.
#
#Default:
# none
# TAG: redirect_children
# The number of redirector processes to spawn. If you start
# too few Squid will have to wait for them to process a backlog of
# URLs, slowing it down. If you start too many they will use RAM
# and other system resources.
#
#Default:
# redirect_children 5
# TAG: redirect_rewrites_host_header
# By default Squid rewrites any Host: header in redirected
# requests. If you are running an accelerator then this may
# not be a wanted effect of a redirector.
#
#Default:
# redirect_rewrites_host_header on
# TAG: redirector_access
# If defined, this access list specifies which requests are
# sent to the redirector processes. By default all requests
# are sent.
#
#Default:
# none
--
Regards,
Robert
----------------
Robert Penz
robert DOT penz AT outertech DOT com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20050726/4e297389/attachment.bin
More information about the samba
mailing list