[squid-users] squid block by Content-Type or Content-Disposition

Vieri rentorbuy at yahoo.com
Mon May 29 11:47:14 UTC 2017


Hi,

I'm unable to block specific file downloads in http/https traffic. For example, I'd like to block .cab files from being downloaded.

Here's what I have:

# grep cab /usr/local/proxy-settings/denied.filetypes
\.cab(\?.*)?$

# grep -v ^# squid.test.conf | grep -v ^$
http_access allow localhost manager
http_access deny manager
http_port 3228 tproxy
https_port 3229 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl interceptedhttp myportname 3228
acl interceptedhttps myportname 3229
acl denied_filetypes urlpath_regex -i "/usr/local/proxy-settings/denied.filetypes"
acl denied_mimetypes_req req_mime_type -i application/x-cab
acl denied_mimetypes_rep rep_mime_type -i application/x-cab
http_access deny denied_mimetypes_req
http_access deny denied_mimetypes_rep
http_access deny denied_filetypes
http_access deny interceptedhttp !localnet
http_access deny interceptedhttps !localnet
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db_test -M 16MB
sslcrtd_children 10
reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access squidclamav allow all
cache_dir diskd /var/cache/squid.test 100 16 256
http_access allow localnet
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
pid_filename /run/squid.test.pid
access_log daemon:/var/log/squid/access.test.log squid
cache_log /var/log/squid/cache.test.log
debug_options rotate=1 ALL,5

In cache.log I see:

Content-Type: application/x-cab
Content-Disposition: attachment;filename="fake.cab";filename*=UTF-8''fake.cab

BTW if I replace the following:

acl denied_mimetypes_req req_mime_type -i application/x-cab
acl denied_mimetypes_rep rep_mime_type -i application/x-cab

with

acl denied_mimetypes_req req_mime_type -i application/x-
acl denied_mimetypes_rep rep_mime_type -i application/x-

then the cab file downloads are correctly blocked. This is obviously too restrictive.

This must be a dumb mistake on my behalf.
What am I missing?

Thanks,

Vieri


More information about the squid-users mailing list