Search squid archive

Re: squid block by Content-Type or Content-Disposition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 29/05/17 23:47, Vieri wrote:

Hi,

I'm unable to block specific file downloads in http/https traffic. For example, I'd like to block .cab files from being downloaded.

Here's what I have:

# grep cab /usr/local/proxy-settings/denied.filetypes
\.cab(\?.*)?$

# grep -v ^# squid.test.conf | grep -v ^$
http_access allow localhost manager
http_access deny manager
http_port 3228 tproxy
https_port 3229 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl interceptedhttp myportname 3228
acl interceptedhttps myportname 3229
acl denied_filetypes urlpath_regex -i "/usr/local/proxy-settings/denied.filetypes"
acl denied_mimetypes_req req_mime_type -i application/x-cab
acl denied_mimetypes_rep rep_mime_type -i application/x-cab
http_access deny denied_mimetypes_req
http_access deny denied_mimetypes_rep
http_access deny denied_filetypes




In cache.log I see:

Content-Type: application/x-cab
Content-Disposition: attachment;filename="fake.cab";filename*=UTF-8''fake.cab

BTW if I replace the following:

acl denied_mimetypes_req req_mime_type -i application/x-cab
acl denied_mimetypes_rep rep_mime_type -i application/x-cab

with

acl denied_mimetypes_req req_mime_type -i application/x-
acl denied_mimetypes_rep rep_mime_type -i application/x-

then the cab file downloads are correctly blocked. This is obviously too restrictive.

This must be a dumb mistake on my behalf.
What am I missing?


Several things:

1) http_access is tested only for requests.

response/reply messages are controlled though http_reply_access.
<http://www.squid-cache.org/Doc/config/http_reply_access>
2) rep_mime_type ACL (note the 'p') tests reply headers, thus for use in http_reply_access and will not work in http_access.
3) req_mime_type ACL (note the 'q') tests request headers. It is for upload file types (POST, PUT etc). 


Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux