[squid-users] Block doc documents

Daniel Rieken danielrieken89 at gmail.com
Tue Jun 27 11:53:26 UTC 2017


Hello,

I would like to block my users from downloading doc- and docm-files,
but not docx.

So this works fine for me:
/etc/squid3/blockExtensions.acl:
\.doc(\?.*)?$
\.docm(\?.*)?$

acl blockExtensions urlpath_regex -i "/etc/squid3/blockExtensions.acl"
http_access deny blockExtensions


But in some cases the URL doesn't contain the extension (e.g. doc).
For URLs like this the above ACL doesn't work:
- http://www.example.org/download.pl?file=wordfile
- http://www.example.org/invoice-5479657415/

Here I need to work with mime-types:
acl blockMime rep_mime_type application/msword
acl blockMime rep_mime_type application/vnd.ms-word.document.macroEnabled.12
http_reply_access deny blockMime

This works fine, too. But I see a problem: The mime-type is defined on
the webserver. So the badguy could configure his webserver to serve a
doc-file as application/i.am.not.a.docfile and the above ACL isn't
working anymore.
Is there any way to make squid block doc- and docm files based on the
response-headers file-type?
Or in other words: Is squid able to match the "doc" in the
Content-Disposition header of the response?

HTTP/1.0 200 OK
Date: Tue, 27 Jun 2017 11:40:57 GMT
Server: Apache Phusion_Passenger/4.0.10 mod_bwlimited/1.4
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Content-Type: application/baddoc
Content-Disposition: attachment;
filename="gescanntes-Dokument-VPPAW-072-JCD3032.doc"
Content-Transfer-Encoding: binary
X-Powered-By: PHP/5.3.29
Connection: close


Regards, Daniel


More information about the squid-users mailing list