[squid-users] squid block by Content-Type or Content-Disposition

Amos Jeffries squid3 at treenet.co.nz
Mon May 29 12:22:03 UTC 2017


On 29/05/17 23:47, Vieri wrote:
> Hi,
>
> I'm unable to block specific file downloads in http/https traffic. For example, I'd like to block .cab files from being downloaded.
>
> Here's what I have:
>
> # grep cab /usr/local/proxy-settings/denied.filetypes
> \.cab(\?.*)?$
>
> # grep -v ^# squid.test.conf | grep -v ^$
> http_access allow localhost manager
> http_access deny manager
> http_port 3228 tproxy
> https_port 3229 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl interceptedhttp myportname 3228
> acl interceptedhttps myportname 3229
> acl denied_filetypes urlpath_regex -i "/usr/local/proxy-settings/denied.filetypes"
> acl denied_mimetypes_req req_mime_type -i application/x-cab
> acl denied_mimetypes_rep rep_mime_type -i application/x-cab
> http_access deny denied_mimetypes_req
> http_access deny denied_mimetypes_rep
> http_access deny denied_filetypes

>
> In cache.log I see:
>
> Content-Type: application/x-cab
> Content-Disposition: attachment;filename="fake.cab";filename*=UTF-8''fake.cab
>
> BTW if I replace the following:
>
> acl denied_mimetypes_req req_mime_type -i application/x-cab
> acl denied_mimetypes_rep rep_mime_type -i application/x-cab
>
> with
>
> acl denied_mimetypes_req req_mime_type -i application/x-
> acl denied_mimetypes_rep rep_mime_type -i application/x-
>
> then the cab file downloads are correctly blocked. This is obviously too restrictive.
>
> This must be a dumb mistake on my behalf.
> What am I missing?

Several things:

1) http_access is tested only for requests.

response/reply messages are controlled though http_reply_access.
<http://www.squid-cache.org/Doc/config/http_reply_access>

2) rep_mime_type ACL (note the 'p') tests reply headers, thus for use in 
http_reply_access and will not work in http_access.

3) req_mime_type ACL (note the 'q') tests request headers. It is for 
upload file types (POST, PUT etc).


Amos



More information about the squid-users mailing list