Advanced ACLs

Web Safety is also able to apply advanced rules (access control list rules) in a given policy. To configure these rules, select Admin UI / Policy / Filtering Rules / Domains and URLs / Advanced as shown on the following screenshot.

../../../_images/advanced_rules1.png

Currently the following access control list (ACL) types are supported. The implementation has some similarities with Squid ACLs although not all access control list names and not all access rules are supported for now.

ACL

Description

http_status

The decimal code of the HTTP response. The response code is taken from the HTTP response status, like 200 OK.

method

The HTTP method (verb) of the HTTP request. For example, GET, POST, PUT and DELETE.

dstdomain

Domain name of the origin site being connected to. This domain name is taken from the Host header of the HTTP request.

port

The origin port that the browser wants to connect to. For example a HTTPS connection results in a CONNECT request to port 443.

rep_mime_type

MIME type of the HTTP response. This value is taken from the Content-Type header in the HTTP response.

req_mime_type

MIME type of the HTTP request. This value is taken from the Content-Type header in the HTTP request. Usually only POST and PUT requests have this header set.

browser

User Agent HTTP header of the request.

referer

Referer HTTP header of the request.

url_regex

Regular expression for the URL in the request.

Any line starting with # is considered a comment and ignored. Please use these comments to make the advanced configuration more understandable.

The following sections present some examples of using advanced filtering rules.

HTTP Status Code

The following example blocks HTTP responses with HTTP status code less than 100 and allows others through.

# define allowed and denied status codes
acl allowed_status_codes http_status 200 301 400-403 500
acl denied_status_codes http_status -100

# allow and deny as required
http_access allow allowed_status_codes
http_access allow denied_status_codes

HTTP Request Method

The following example blocks HTTP requests that issue POST method directed to example.com site while allowing other requests through.

# define allowed and denied acls
acl target_site dstdomain .example.com
acl post_method method POST

# allow and deny as required
http_access deny post_method target_site
http_access allow all

Domain Name

The following example allows HTTP requests to the search sites and blocks everything else.

# define domains
acl search_engines dstdomain .duckduckgo.com .yahoo.com .google.com .bing.com

# allow and deny as required
http_access allow search_engines
http_access deny all

Origin Port

The following example allows HTTPS requests to ports 443 and 8443. Connections to all other ports are blocked.

# list of ports where CONNECT tunnels will be allowed to
acl SSL_ports port 443 8443

# connect method
acl method_connect method CONNECT

# deny CONNECT tunnels to other ports
http_access deny method_connect !SSL_ports

# but anything else is allowed
http_access allow all

The following example allows requests to the list of safe ports. All other ports are denied.

# deny connections to unsafe ports
acl Safe_ports port 80 21 443 70 210 1025-65535 280 488 591 777
http_access deny !Safe_ports

# but anything else is allowed
http_access allow all

Request and Response Content Types

The following example blocks video files from Facebook. Video files on other video hosting platforms, like YouTube are implicitly allowed.

# define facebook cdn
acl facebook_cdn dstdomain .fbcdn.net

# define response content type of a video file
acl video_mp4 rep_mime_type video/mp4

# and deny it
http_reply_access deny video_mp4 facebook_cdn

User Agent and Referer

The following example prevents Firefox browser from connecting to Webex site. Connections to all other sites are allowed.

# prevent firefox from accessing webex
acl webex_sites dstdomain .webex.com
acl firefox browser .*[F|f]irefox\/\d+\.\d+.*

http_reply_access deny firefox webex_sites

# but everything else is allowed
http_access allow all

The following example block all HTTP requests with Referer field set to example.com.

# prevent connections with referer set to specific value
acl bad_referer referer_regex ^https?:\/\/example\.com.*
http_access deny bad_referer

# but anything else is allowed
http_access allow all

Request URL Regular Expression

The following example allows access to only one account at github.com (note how negation of regular expression is used). Connections to all other sites are allowed.

# we will only block subsequent gets not initial connect
acl method_connect method CONNECT

# define domains we will act upon
acl github_com dstdomain .github.com

# deny connections to all github accounts except for user1
acl allowed_url url_regex ^https?:\/\/github\.com\/user1\/.*$
http_access deny !method_connect github_com !allowed_url

# allow anything else
http_access allow all

The following example allows connections to a set of URLs on a example.com site which is accessed using HTTPS.

# we will only block subsequent gets not initial connect
acl method_connect method CONNECT

# define domains we will act upon
acl example_com dstdomain .example.com

# deny connections to other urls than the required list
acl allowed_url url_regex ^https?:\/\/example\.com\/auth\/[app1|app2|app3]\/.*$
http_access deny !method_connect example_com !allowed_url

# deny anything else too
http_access deny all

Block All Requests

The following example simply blocks all requests.

# nothing is allowed here
http_access deny all

all here is the built in access control list name meaning any request or response.