Visit Our UNIX and Linux User Community


Blocking File Uploads with Squid

 
Thread Tools Search this Thread
Special Forums UNIX and Linux Applications Infrastructure Monitoring Blocking File Uploads with Squid
# 1  
Old 11-26-2009
Blocking File Uploads with Squid

Dear All

I want to block email attachments upload on internet through different mail servers. My requirement is that no user can send email attachments on yahoo, hotmail, gmail etc. I have RHEL-5 and squid 2.7. I have applied the undermentioned ACL but it in vain
ACL is

acl fileupload req_mime_type -i ^multipart/form-data$
http_access deny fileupload.

Waiting for ur valuable reply

Last edited by surfer24; 11-26-2009 at 05:22 AM..
This User Gave Thanks to surfer24 For This Post:
# 2  
Old 11-26-2009
Assuming that you have placed the directives in the correct place in the config file ...

You are only blocking one type of MIME attachment. There are many others. Also most MINE types have additional parameters and thus you use of ^ and $ are preventing a match.
# 3  
Old 12-03-2009
thanks fpmurphy
can u please tell me other mime types, i dont know whether i placed directive at right place my squid.conf file ACLs configurations are as under

Code:
# ACCESS CONTROLS
# ----------------------------------------------------------------------
#  TAG: acl
#       Defining an Access List
#
#       acl aclname acltype string1 ...
#       acl aclname acltype "file" ...
#
#       when using "file", the file should contain one item per line
#
#       acltype is one of the types described below
#
#       By default, regular expressions are CASE-SENSITIVE.  To make
#       them case-insensitive, use the -i option.
#
#       acl aclname src      ip-address/netmask ... (clients IP address)
#       acl aclname src      addr1-addr2/netmask ... (range of addresses)
#       acl aclname dst      ip-address/netmask ... (URL host's IP address)
#       acl aclname myip     ip-address/netmask ... (local socket IP address)
#
#       acl aclname arp      mac-address ... (xx:xx:xx:xx:xx:xx notation)
#         # The arp ACL requires the special configure option --enable-arp-acl.
#         # Furthermore, the arp ACL code is not portable to all operating systems.
#         # It works on Linux, Solaris, FreeBSD and some other *BSD variants.
#         #
#         # NOTE: Squid can only determine the MAC address for clients that are on
#         # the same subnet. If the client is on a different subnet, then Squid cannot
#         # find out its MAC address.
#
#       acl aclname srcdomain   .foo.com ...    # reverse lookup, client IP
#       acl aclname dstdomain   .foo.com ...    # Destination server from URL
#       acl aclname srcdom_regex [-i] xxx ...   # regex matching client name
#       acl aclname dstdom_regex [-i] xxx ...   # regex matching server
#         # For dstdomain and dstdom_regex  a reverse lookup is tried if a IP
#         # based URL is used and no match is found. The name "none" is used
#         # if the reverse lookup fails.
#
#       acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
#           day-abbrevs:
#               S - Sunday
#               M - Monday
#               T - Tuesday
#               W - Wednesday
#               H - Thursday
#               F - Friday
#               A - Saturday
#           h1:m1 must be less than h2:m2
#       acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
#       acl aclname urlpath_regex [-i] \.gif$ ...       # regex matching on URL path
#       acl aclname urllogin [-i] [^a-zA-Z0-9] ...      # regex matching on URL login field
#       acl aclname port     80 70 21 ...
#       acl aclname port     0-1024 ...         # ranges allowed
#       acl aclname myport   3128 ...           # (local socket TCP port)
#       acl aclname proto    HTTP FTP ...
#       acl aclname method   GET POST ...
#       acl aclname browser  [-i] regexp ...
#         # pattern match on User-Agent header (see also req_header below)
#       acl aclname referer_regex  [-i] regexp ...
#         # pattern match on Referer header
#         # Referer is highly unreliable, so use with care
#       acl aclname ident    username ...
#       acl aclname ident_regex [-i] pattern ...
#         # string match on ident output.
#         # use REQUIRED to accept any non-null ident.
#       acl aclname src_as   number ...
#       acl aclname dst_as   number ...
#         # Except for access control, AS numbers can be used for
#         # routing of requests to specific caches. Here's an
#         # example for routing all requests for AS#1241 and only
#         # those to mycache.mydomain.net:
#         # acl asexample dst_as 1241
#         # cache_peer_access mycache.mydomain.net allow asexample
#         # cache_peer_access mycache_mydomain.net deny all
#
#       acl aclname proxy_auth [-i] username ...
#       acl aclname proxy_auth_regex [-i] pattern ...
#         # list of valid usernames
#         # use REQUIRED to accept any valid username.
#         #
#         # NOTE: when a Proxy-Authentication header is sent but it is not
#         # needed during ACL checking the username is NOT logged
#         # in access.log.
#         #
#         # NOTE: proxy_auth requires a EXTERNAL authentication program
#         # to check username/password combinations (see
#         # auth_param directive).
#         #
#         # WARNING: proxy_auth can't be used in a transparent proxy. It
#         # collides with any authentication done by origin servers. It may
#         # seem like it works at first, but it doesn't.
#
#       acl aclname snmp_community string ...
#         # A community string to limit access to your SNMP Agent
#         # Example:
#         #
#         #     acl snmppublic snmp_community public
#
#       acl aclname maxconn number
#         # This will be matched when the client's IP address has
#         # more than <number> HTTP connections established.
#
#       acl aclname max_user_ip [-s] number
#         # This will be matched when the user attempts to log in from more
#         # than <number> different ip addresses. The authenticate_ip_ttl
#         # parameter controls the timeout on the ip entries.
#         # If -s is specified the limit is strict, denying browsing
#         # from any further IP addresses until the ttl has expired. Without
#         # -s Squid will just annoy the user by "randomly" denying requests.
#         # (the counter is reset each time the limit is reached and a
#         # request is denied)
#         # NOTE: in acceleration mode or where there is mesh of child proxies,
#         # clients may appear to come from multiple addresses if they are
#         # going through proxy farms, so a limit of 1 may cause user problems.
#
#       acl aclname req_mime_type mime-type1 ...
#         # regex match against the mime type of the request generated
#         # by the client. Can be used to detect file upload or some
#         # types HTTP tunneling requests.
#         # NOTE: This does NOT match the reply. You cannot use this
#         # to match the returned file type.
#
#       acl aclname req_header header-name [-i] any\.regex\.here
#         # regex match against any of the known request headers.  May be
#         # thought of as a superset of "browser", "referer" and "mime-type"
#         # ACLs.
#
#       acl aclname rep_mime_type mime-type1 ...
#         # regex match against the mime type of the reply received by
#         # squid. Can be used to detect file download or some
#         # types HTTP tunneling requests.
#         # NOTE: This has no effect in http_access rules. It only has
#         # effect in rules that affect the reply data stream such as
#         # http_reply_access.
#
#       acl aclname rep_header header-name [-i] any\.regex\.here
#         # regex match against any of the known response headers.
#       acl acl_name external class_name [arguments...]
#         # external ACL lookup via a helper class defined by the
#         # external_acl_type directive.
#
#       acl urlgroup group1 ...
#         # match against the urlgroup as indicated by redirectors
#
#       acl aclname user_cert attribute values...
#         # match against attributes in a user SSL certificate
#         # attribute is one of DN/C/O/CN/L/ST
#
#       acl aclname ca_cert attribute values...
#         # match against attributes a users issuing CA SSL certificate
#         # attribute is one of DN/C/O/CN/L/ST
#
#       acl aclname ext_user       username ...
#       acl aclname ext_user_regex [-i] pattern ...
#         # string match on username returned by external acl
#         # use REQUIRED to accept any user name.
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$

#Recommended minimum configuration:

##################################################
acl mynetwork src 192.168.151.0/255.255.255.0 192.168.50.0/255.255.255.0 192.168.65.0/255.255.255.0 192.168.152.0/255.255.255.0 192.168.60.0/255.255.255.0 10.200.12.0/255.255.255.0 192.132.140.0/255.255.255.0 192.172.2.0/255.255.255.192 192.172.1.0/255.255.255.192 192.101.11.0/24 115.20.0.0/24 115.20.1.0/24 115.20.116.0/24 115.20.115.0/24 115.20.112.0/24 192.168.52.0/24 192.172.3.0/26 192.168.155.0/24 10.1.10.0/24 10.1.45.12/32 172.25.0.0/24
###################################################

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # 
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
#acl Safe_ports port 9-65535
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access deny fileupload

http_access allow mynetwork
http_access allow localhost
http_access deny all

i also have dansguardian running on the same proxy server for webfiltering.

Last edited by surfer24; 12-03-2009 at 07:20 AM.. Reason: code tags, please...

Previous Thread | Next Thread
Test Your Knowledge in Computers #661
Difficulty: Easy
DOS uses the File Access Table (FAT) filesystem.
True or False?

9 More Discussions You Might Find Interesting

1. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

2. IP Networking

Squid vs iptables = no Squid access.log?

Hello, I have a pretty useless satellite link at home (far from any civilization), so I wanted to set up caching in order to speed things up. My Squid 2.6 runs "3128 transparent" and is set up quite well on a separate machine. I also have my dd-wrt router to move all port 80 traffic through... (0 Replies)
Discussion started by: theWojtek
0 Replies

3. IP Networking

Blocking sites with squid

Hi i have created a proxy with squid and i need to block all domains of yahoo let's say . i have to configure squid.conf but idk how.. (1 Reply)
Discussion started by: g0dlik3
1 Replies

4. Shell Programming and Scripting

Script for Removing Lines from File / Blocking internet connection

Hey all. I am trying to write some scripts and need some assistance. One: I already have a script that appends lines to a file. I need a script that will remove those lines from that file, and have no idea how to go about doing this. Just need the command (if any) that can remove lines. ... (2 Replies)
Discussion started by: Dysruption
2 Replies

5. IP Networking

Blocking HTTP tunnel in squid proxy 2.5

Does any one know how to block HTTP Tunnel in squid proxy server. Pls reply (1 Reply)
Discussion started by: vishwanathhcl
1 Replies

6. Shell Programming and Scripting

grep and check uploads

Hi, In suhosin php hardening patch there is an option of scanning uploaded files via php or web. upload verification_script ============================== * Type: String * Default: This defines the full path to a verification script for uploaded files. The... (0 Replies)
Discussion started by: fed.linuxgossip
0 Replies

7. Shell Programming and Scripting

monitor daily file uploads

hey all, i am a shell scripting n00b so bear with me. i got a server that every night uploads one file to a remote server. the file is prodserver_date_time. i would like to make a script, run by root on a daily cron job. i want it to determine if the file was received or not. no md5... (2 Replies)
Discussion started by: jweinraub
2 Replies

8. Linux

vsftpd hiding partial uploads

Is there any mechanism within vsftpd to hide partially uploaded files, ie give them a hidden file name. Pro ftp has this option with the hidden stor option in the configuration file. If there is no such feature how do I go about requesting that the vsftpd developers create this option or is... (3 Replies)
Discussion started by: jhod22
3 Replies

9. Programming

Blocking file read

There are many processes writing to log files at random times (they are all programmed in different manners and can not be altered). I am writing a new c program which should read from the log files whenever they are updated. At the moment it is just spooling, waiting for a change in file size, but... (2 Replies)
Discussion started by: cubathy
2 Replies

Featured Tech Videos