The application is also able to apply advanced rules (access control list rules) in a policy. To configure these rules, select Admin UI / Policy / Filtering Rules / Advanced as shown on the following screenshot.
Currently the following access control list (ACL) types are supported. The implementation has some similarities with Squid ACLs although not all access control list names and not all access rules are supported for now.
|http_status||The decimal code of the HTTP response. The response code is taken from the HTTP response status, like
|method||The HTTP method (verb) of the HTTP request. For example,
|dstdomain||Domain name of the origin site being connected to. This domain name is taken from the
|port||The origin port that the browser wants to connect to. For example a HTTPS connection results in a CONNECT request to port 443.|
|rep_mime_type||MIME type of the HTTP response. This value is taken from the
|req_mime_type||MIME type of the HTTP request. This value is taken from the
|browser||User Agent HTTP header of the request.|
|referer||Referer HTTP header of the request.|
|url_regex||Regular expression for the URL in the request.|
Any line starting with
# is considered a comment and ignored. Please use these comments to make the advanced configuration more understandable.
The following sections present some examples of using advanced filtering rules.
HTTP Status Code
The following example blocks HTTP responses with HTTP status code less than 100 and allows others through.
# define allowed and denied status codes acl allowed_status_codes http_status 200 301 400-403 500 acl denied_status_codes http_status -100 # allow and deny as required http_access allow allowed_status_codes http_access allow denied_status_codes
HTTP Request Method
The following example blocks HTTP requests that issue POST method directed to example.com site while allowing other requests through.
# define allowed and denied acls acl target_site dstdomain .example.com acl post_method method POST # allow and deny as required http_access deny post_method target_site http_access allow all
The following example allows HTTP requests to the search sites and blocks everything else.
# define domains acl search_engines dstdomain .duckduckgo.com .yahoo.com .google.com .bing.com # allow and deny as required http_access allow search_engines http_access deny all
The following example allows HTTPS requests to ports 443 and 8443. Connections to all other ports are blocked.
# list of ports where CONNECT tunnels will be allowed to acl SSL_ports port 443 8443 # connect method acl method_connect method CONNECT # deny CONNECT tunnels to other ports http_access deny method_connect !SSL_ports # but anything else is allowed http_access allow all
The following example allows requests to the list of safe ports. All other ports are denied.
# deny connections to unsafe ports acl Safe_ports port 80 21 443 70 210 1025-65535 280 488 591 777 http_access deny !Safe_ports # but anything else is allowed http_access allow all
Request and Response Content Types
The following example blocks video files from Facebook. Video files on other video hosting platforms, like YouTube are implicitly allowed.
# define facebook cdn acl facebook_cdn dstdomain .fbcdn.net # define response content type of a video file acl video_mp4 rep_mime_type video/mp4 # and deny it http_reply_access deny video_mp4 facebook_cdn
User Agent and Referer
The following example prevents Firefox browser from connecting to Webex site. Connections to all other sites are allowed.
# prevent firefox from accessing webex acl webex_sites dstdomain .webex.com acl firefox browser .*[F|f]irefox\/\d+\.\d+.* http_reply_access deny firefox webex_sites # but everything else is allowed http_access allow all
The following example block all HTTP requests with Referer field set to example.com.
# prevent connections with referer set to specific value acl bad_referer referer_regex ^https?:\/\/example\.com.* http_access deny bad_referer # but anything else is allowed http_access allow all
Request URL Regular Expression
The following example allows access to only one account at github.com (note how negation of regular expression is used). Connections to all other sites are allowed.
# we will only block subsequent gets not initial connect acl method_connect method CONNECT # define domains we will act upon acl github_com dstdomain .github.com # deny connections to all github accounts except for user1 acl allowed_url url_regex ^https?:\/\/github\.com\/user1\/.*$ http_access deny !method_connect github_com !allowed_url # allow anything else http_access allow all
The following example allows connections to a set of URLs on a example.com site which is accessed using HTTPS.
# we will only block subsequent gets not initial connect acl method_connect method CONNECT # define domains we will act upon acl example_com dstdomain .example.com # deny connections to other urls than the required list acl allowed_url url_regex ^https?:\/\/example\.com\/auth\/[app1|app2|app3]\/.*$ http_access deny !method_connect example_com !allowed_url # deny anything else too http_access deny all
Block All Requests
The following example simply blocks all requests.
# nothing is allowed here http_access deny all
all here is the built in access control list name meaning any request or response.