[squid-users] Block doc documents
Amos Jeffries
squid3 at treenet.co.nz
Tue Jun 27 16:59:36 UTC 2017
On 27/06/17 23:53, Daniel Rieken wrote:
> Hello,
>
> I would like to block my users from downloading doc- and docm-files,
> but not docx.
>
> So this works fine for me:
> /etc/squid3/blockExtensions.acl:
> \.doc(\?.*)?$
> \.docm(\?.*)?$
>
> acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl"
> http_access deny blockExtensions
>
>
> But in some cases the URL doesn't contain the extension (e.g. doc).
> For URLs like this the above ACL doesn't work:
> - http://www.example.org/download.pl?file=wordfile
> - http://www.example.org/invoice-5479657415/
>
> Here I need to work with mime-types:
> acl blockMime rep_mime_type application/msword
> acl blockMime rep_mime_type application/vnd.ms-word.document.macroEnabled.12
> http_reply_access deny blockMime
>
> This works fine, too. But I see a problem: The mime-type is defined on
> the webserver. So the badguy could configure his webserver to serve a
> doc-file as application/i.am.not.a.docfile and the above ACL isn't
> working anymore.
HTTP contains no concept of "file". That is a human concept. All of what
you mention above are the consequences of that difference.
I recommend you drop this concept of "file" from your thinking and
concentrate on detecting what HTTP details represent a bad HTTP message.
The "file" related things should be dealt with at other layers by other
software like AV scanning or as Brendan suggested ICAP payload scanners.
Amos
More information about the squid-users
mailing list