Re: [squid-users] squid block by Content-Type or Content-Disposition

Mon, 29 May 2017 05:22:40 -0700 

On 29/05/17 23:47, Vieri wrote:

Hi,

I'm unable to block specific file downloads in http/https traffic. For example, 
I'd like to block .cab files from being downloaded.

Here's what I have:

# grep cab /usr/local/proxy-settings/denied.filetypes
\.cab(\?.*)?$

# grep -v ^# squid.test.conf | grep -v ^$
http_access allow localhost manager
http_access deny manager
http_port 3228 tproxy
https_port 3229 tproxy ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl interceptedhttp myportname 3228
acl interceptedhttps myportname 3229
acl denied_filetypes urlpath_regex -i 
"/usr/local/proxy-settings/denied.filetypes"
acl denied_mimetypes_req req_mime_type -i application/x-cab
acl denied_mimetypes_rep rep_mime_type -i application/x-cab
http_access deny denied_mimetypes_req
http_access deny denied_mimetypes_rep
http_access deny denied_filetypes




In cache.log I see:

Content-Type: application/x-cab
Content-Disposition: attachment;filename="fake.cab";filename*=UTF-8''fake.cab

BTW if I replace the following:

acl denied_mimetypes_req req_mime_type -i application/x-cab
acl denied_mimetypes_rep rep_mime_type -i application/x-cab

with

acl denied_mimetypes_req req_mime_type -i application/x-
acl denied_mimetypes_rep rep_mime_type -i application/x-

then the cab file downloads are correctly blocked. This is obviously too 
restrictive.

This must be a dumb mistake on my behalf.
What am I missing?


Several things:

1) http_access is tested only for requests.

response/reply messages are controlled though http_reply_access.
<http://www.squid-cache.org/Doc/config/http_reply_access>
2) rep_mime_type ACL (note the 'p') tests reply headers, thus for use in http_reply_access and will not work in http_access.
3) req_mime_type ACL (note the 'q') tests request headers. It is for upload file types (POST, PUT etc). 


Amos

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to