Re: [squid-users] blocking binary download

From: Erwann PENCREACH <erwann.pencreach_at_ch-chaumont.fr>
Date: Wed, 08 Jul 2009 14:43:44 +0200

I'm quite stupid,

I was already correcting this, when I saw your answer.

the working rule is the following :

acl contenttypes rep_mime_type video audio application/octet-stream \
                  application/x-msdownload application/exe \
                 application/x-exe \
                  application/dos-exe vms/exe application/x-winexe \
                  application/msdos-windows application/x-msdos-program \
                  binary

http_reply_access deny contenttypes

changes : reP_mime_type instead of reQ_mime_type in the acl
and http_reply_acces instead of request_header_access rule.

Adrian Chadd a écrit :
> req_mime_type won't help you if its what I remember it being ,a
> -request- mime type.
>
> You need to block on the -reply- mime type.
>
>
> adrian
>
> 2009/7/8 Erwann PENCREACH <erwann.pencreach_at_ch-chaumont.fr>:
>> Hi all,
>>
>> I'm trying to write rules that will block binary downloads
>>
>> what I've writen :
>>
>> acl contenttype1 req_mime_type video audio application/octet-stream \
>> application/x-msdownload application/exe \
>> application/x-exe \
>> application/dos-exe vms/exe application/x-winexe \
>> application/msdos-windows application/x-msdos-program \
>> binary
>>
>> request_header_access Content-Type deny contenttype1
>>
>>
>> I checked it with nvidia drivers download, but this rule doesn't work.
>>
>>
>> $ sudo tcpflow -vvv -c -i bond0 src X.X.X.X
>> [...]
>> tcpflow[32412]: 010.012.011.010.03809-010.012.003.001.03128: new flow
>> 010.012.011.010.03809-010.012.003.001.03128: GET
>> http://us.download.nvidia.com/Windows/186.18/186.18_desktop_winxp_32bit_english_whql.exe
>> HTTP/1.1
>> Host: us.download.nvidia.com
>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.10; .NET
>> CLR 2.0.50727; ffco7) Gecko/2009042316 Firefox/3.0.10
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
>> Accept-Encoding: gzip,deflate
>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>> Keep-Alive: 300
>> Proxy-Connection: keep-alive
>> Referer:
>> http://www.nvidia.com/content/DriverDownload/download_confirmation.asp?kw=&url=http://us.download.nvidia.com/Windows/186.18/186.18_desktop_winxp_32bit_english_whql.exe
>> Cookie: s_cc=true; s_nr=1247055367647; s_sq=%5B%5BB%5D%5D;
>> s_vi=[CS]v1|4A548C4E0000425B-A3A081300001672[CE]
>>
>>
>> this is the last tcpflow block I obtain, just before the download box pops
>> up at screen (asking me if I want to run or download the binary)
>>
>>
>> I'm using squid 3 + squidGuard, Is there anyway to make it work properly ?
>>
>> My predecessor wrote rules based on url_regex to do that job on the former
>> proxy , but this filtering is too large (no url containing exe at any place
>> is granted)
>>
>> thank's for your help (and be tolerant with my poor english level)
>>
>> --
>> Ce courrier électronique a été vérifié et est exempt de virus connus à ce
>> jour.
>> Contactez votre administrateur pour plus de renseignement.
>> postmaster_at_ch-chaumont.fr
>>
> --
> Ce courrier électronique a été vérifié et est exempt de virus connus à ce jour.
> Contactez votre administrateur pour plus de renseignement.
> postmaster_at_ch-chaumont.fr

-- Ce courrier ÿlectronique a ÿtÿ vÿrifiÿ et est exempt de virus connus ÿ ce jour. Contactez votre administrateur pour plus de renseignement. postmaster_at_ch-chaumont.fr

Received on Wed Jul 08 2009 - 12:43:54 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 09 2009 - 12:00:03 MDT