Hi, I'm unable to block specific file downloads in http/https traffic. For example, I'd like to block .cab files from being downloaded. Here's what I have: # grep cab /usr/local/proxy-settings/denied.filetypes \.cab(\?.*)?$ # grep -v ^# squid.test.conf | grep -v ^$ http_access allow localhost manager http_access deny manager http_port 3228 tproxy https_port 3229 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl interceptedhttp myportname 3228 acl interceptedhttps myportname 3229 acl denied_filetypes urlpath_regex -i "/usr/local/proxy-settings/denied.filetypes" acl denied_mimetypes_req req_mime_type -i application/x-cab acl denied_mimetypes_rep rep_mime_type -i application/x-cab http_access deny denied_mimetypes_req http_access deny denied_mimetypes_rep http_access deny denied_filetypes http_access deny interceptedhttp !localnet http_access deny interceptedhttps !localnet sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db_test -M 16MB sslcrtd_children 10 reply_header_access Alternate-Protocol deny all ssl_bump stare all ssl_bump bump all icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav adaptation_access squidclamav allow all cache_dir diskd /var/cache/squid.test 100 16 256 http_access allow localnet http_access allow localhost http_access deny all coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 pid_filename /run/squid.test.pid access_log daemon:/var/log/squid/access.test.log squid cache_log /var/log/squid/cache.test.log debug_options rotate=1 ALL,5 In cache.log I see: Content-Type: application/x-cab Content-Disposition: attachment;filename="fake.cab";filename*=UTF-8''fake.cab BTW if I replace the following: acl denied_mimetypes_req req_mime_type -i application/x-cab acl denied_mimetypes_rep rep_mime_type -i application/x-cab with acl denied_mimetypes_req req_mime_type -i application/x- acl denied_mimetypes_rep rep_mime_type -i application/x- then the cab file downloads are correctly blocked. This is obviously too restrictive. This must be a dumb mistake on my behalf. What am I missing? Thanks, Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
