On 27/06/17 23:53, Daniel Rieken wrote:
Hello, I would like to block my users from downloading doc- and docm-files, but not docx. So this works fine for me: /etc/squid3/blockExtensions.acl: \.doc(\?.*)?$ \.docm(\?.*)?$ acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl" http_access deny blockExtensions But in some cases the URL doesn't contain the extension (e.g. doc). For URLs like this the above ACL doesn't work: - http://www.example.org/download.pl?file=wordfile - http://www.example.org/invoice-5479657415/ Here I need to work with mime-types: acl blockMime rep_mime_type application/msword acl blockMime rep_mime_type application/vnd.ms-word.document.macroEnabled.12 http_reply_access deny blockMime This works fine, too. But I see a problem: The mime-type is defined on the webserver. So the badguy could configure his webserver to serve a doc-file as application/i.am.not.a.docfile and the above ACL isn't working anymore.
HTTP contains no concept of "file". That is a human concept. All of what you mention above are the consequences of that difference.
I recommend you drop this concept of "file" from your thinking and concentrate on detecting what HTTP details represent a bad HTTP message. The "file" related things should be dealt with at other layers by other software like AV scanning or as Brendan suggested ICAP payload scanners.
Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
