Re: [squid-users] how to block file uploads with squid

From: serfer <iftikhar78_at_hotmail.com>
Date: Thu, 3 Dec 2009 03:13:38 -0800 (PST)

thanks fpmurphy
can u please tell me other mime types, i dont know weather i placed
directive at right place my squid.conf file ACLs configurations are as under

# ACCESS CONTROLS
# ----------------------------------------------------------------------
# TAG: acl
# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#
# acltype is one of the types described below
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
# acl aclname dst ip-address/netmask ... (URL host's IP address)
# acl aclname myip ip-address/netmask ... (local socket IP
address)
#
# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# # The arp ACL requires the special configure option
--enable-arp-acl.
# # Furthermore, the arp ACL code is not portable to all operating
systems.
# # It works on Linux, Solaris, FreeBSD and some other *BSD
variants.
# #
# # NOTE: Squid can only determine the MAC address for clients that
are on
# # the same subnet. If the client is on a different subnet, then
Squid cannot
# # find out its MAC address.
#
# acl aclname srcdomain .foo.com ... # reverse lookup, client IP
# acl aclname dstdomain .foo.com ... # Destination server from
URL
# acl aclname srcdom_regex [-i] xxx ... # regex matching client name
# acl aclname dstdom_regex [-i] xxx ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if a
IP
# # based URL is used and no match is found. The name "none" is used
# # if the reverse lookup fails.
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2
# acl aclname url_regex [-i] ^http:// ... # regex matching on whole
URL
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on
URL path
# acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on
URL login field
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname myport 3128 ... # (local socket TCP port)
# acl aclname proto HTTP FTP ...
# acl aclname method GET POST ...
# acl aclname browser [-i] regexp ...
# # pattern match on User-Agent header (see also req_header below)
# acl aclname referer_regex [-i] regexp ...
# # pattern match on Referer header
# # Referer is highly unreliable, so use with care
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output.
# # use REQUIRED to accept any non-null ident.
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
# # those to mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname proxy_auth [-i] username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# # list of valid usernames
# # use REQUIRED to accept any valid username.
# #
# # NOTE: when a Proxy-Authentication header is sent but it is not
# # needed during ACL checking the username is NOT logged
# # in access.log.
# #
# # NOTE: proxy_auth requires a EXTERNAL authentication program
# # to check username/password combinations (see
# # auth_param directive).
# #
# # WARNING: proxy_auth can't be used in a transparent proxy. It
# # collides with any authentication done by origin servers. It may
# # seem like it works at first, but it doesn't.
#
# acl aclname snmp_community string ...
# # A community string to limit access to your SNMP Agent
# # Example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
# # more than <number> HTTP connections established.
#
# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
# # than <number> different ip addresses. The authenticate_ip_ttl
# # parameter controls the timeout on the ip entries.
# # If -s is specified the limit is strict, denying browsing
# # from any further IP addresses until the ttl has expired. Without
# # -s Squid will just annoy the user by "randomly" denying
requests.
# # (the counter is reset each time the limit is reached and a
# # request is denied)
# # NOTE: in acceleration mode or where there is mesh of child
proxies,
# # clients may appear to come from multiple addresses if they are
# # going through proxy farms, so a limit of 1 may cause user
problems.
#
# acl aclname req_mime_type mime-type1 ...
# # regex match against the mime type of the request generated
# # by the client. Can be used to detect file upload or some
# # types HTTP tunneling requests.
# # NOTE: This does NOT match the reply. You cannot use this
# # to match the returned file type.
#
# acl aclname req_header header-name [-i] any\.regex\.here
# # regex match against any of the known request headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
# # ACLs.
#
# acl aclname rep_mime_type mime-type1 ...
# # regex match against the mime type of the reply received by
# # squid. Can be used to detect file download or some
# # types HTTP tunneling requests.
# # NOTE: This has no effect in http_access rules. It only has
# # effect in rules that affect the reply data stream such as
# # http_reply_access.
#
# acl aclname rep_header header-name [-i] any\.regex\.here
# # regex match against any of the known response headers.
# acl acl_name external class_name [arguments...]
# # external ACL lookup via a helper class defined by the
# # external_acl_type directive.
#
# acl urlgroup group1 ...
# # match against the urlgroup as indicated by redirectors
#
# acl aclname user_cert attribute values...
# # match against attributes in a user SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ca_cert attribute values...
# # match against attributes a users issuing CA SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ext_user username ...
# acl aclname ext_user_regex [-i] pattern ...
# # string match on username returned by external acl
# # use REQUIRED to accept any user name.
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
[B][I][COLOR="Green"]acl fileupload req_mime_type -i
^multipart/form-data$[/COLOR][/I][/B]
#acl javascript rep_mime_type -i ^application/x-javascript$

#Recommended minimum configuration:

##################################################
acl mynetwork src 192.168.151.0/255.255.255.0 192.168.50.0/255.255.255.0
192.168.65.0/255.255.255.0 192.168.152.0/255.255.255.0
192.168.60.0/255.255.255.0 10.200.12.0/255.255.255.0
192.132.140.0/255.255.255.0 192.172.2.0/255.255.255.192
192.172.1.0/255.255.255.192 192.101.11.0/24 115.20.0.0/24 115.20.1.0/24
115.20.116.0/24 115.20.115.0/24 115.20.112.0/24 192.168.52.0/24
192.172.3.0/26 192.168.155.0/24 10.1.10.0/24 10.1.45.12/32 172.25.0.0/24
###################################################

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 #
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
#acl Safe_ports port 9-65535
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

[B][I][COLOR="Green"]http_access deny fileupload[/COLOR][/I][/B]

http_access allow mynetwork
http_access allow localhost
http_access deny all

i also have dansguardian running on the same proxy server for webfiltering.

-- 
View this message in context: http://old.nabble.com/how-to-block-file-uploads-with-squid-tp26525306p26624330.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Thu Dec 03 2009 - 11:13:44 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 03 2009 - 12:00:01 MST