Re: [squid-users] Blocking downloads based in file extensions

From: Christoph Haas <email@dont-contact.us>
Date: Tue, 14 Feb 2006 15:42:21 +0100

On Tuesday 14 February 2006 14:50, TL wrote:
> At this moment all the users must authenticate to access internet (NCSA
> AUTH) with porn filtering, and im blocking the downloads with an
> external firewall which affects all my users behind squid.

Must... resist... the temptation... to blame... inefficient porn
filtering... ;)

> What i need is to allow/block downloads like *.exe; .dll; .com; etc.. to
> common users and allow to supervisors using their user/pass .

Generally this kind of detection is flawed. Consider these URLs:

http://cgi.ebay.com/bid.dll -> false positive
http://windozeupdate.microshut.com/update.exe -> false positive
http://download.server.net?id=145875 -> false negative

We have tried that for years (actually my predecessors did). And it simple
doesn't work with users of an IQ above 30.

Another way would be looking at the content type that the web site sends
with the URL. But then you still depend on what the web server
administrator does. If everything would look like text/html then your
Squid would just let it through - even if it's porn, MP3s, warez,
downloads, $whatever.

My personal opinion is: Squid is the best open-source proxy in the world.
Just don't try to use it too heavily for security purposes. Since it does
not consider the actual content of what's going through it most of the
time creating blacklists or ACLs for downloads is wasted. Save the time
(which also costs money) and get another proxy that is content-aware and
run it in a chain. From talking to other proxy admins of organisations
that often the approach they use, too.

> -Is it possible to do that based on user/pass instead ip add?

Sure. Just use the authentication ACL instead of the IP-based ACL there.

> -Could anyone send me an acl example on how to block downloads based on
> file extensions ?

It often looks like this:

acl download_suffix url_regex -i \.(zip|arj|exe|cmd|rar|ace|tar|gz|gtar|
rpm|tgz|bz|bz2|bzip|bzip2|elm|bat|vbs|lzh|lha|zoo|chm|sit|msi|iso|mpg|
mpeg|mp3|jnlp|bin|drv|sys|scr|mdb|ocx|pif|msg|vsd|vst|386|cab|enc|dml|psf|
hqx|mov)($|\?)

Since you want to allow everyone non-downloads and restrict downloads to
admins this would be a way to do it:

http_access allow !download_suffix
http_access allow admins <- authentication-based ACL
http_access deny all

Kindly
 Christoph

-- 
~
~
".signature" [Modified] 1 line --100%--                1,48         All
Received on Tue Feb 14 2006 - 07:42:32 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST