Squid proxy : blocking download of some file extensions

It is a common request in squid to have it block downloading certain files based on their extension in the url path. A quick look at google’s results on the subject apparently gives us the solution to get this done easily by squid.

The common solution is to create an ACL file listing regular expressions of the extensions you want to block and then apply this to your http_access rules.

blockExtensions.acl

\.exe$

squid.conf

acl blockExtensions urlpath_regex -i "/etc/squid/blockExtensions.acl"

[...]

http_access allow localnet !blockExtensions

Unfortunately this is not enough to prevent users from downloading .exe files. The mistake here is that we assume that the URL will strictly finish by the extension we want to block, consider the two examples below :

http://download.com/badass.exe     // will be DENIED as expected

http://download.com/badass.exe?    // WON'T be denied as it does not match the regex !

Squid uses the extended regex processor which is the same as egrep. So we need to change our blockExtensions.acl file to handle the possible ?whatever┬ástring which may be trailing our url_path. Here’s the solution to handle all the cases :

blockExtensions.acl

\.exe(\?.*)?$
\.msi(\?.*)?$
\.msu(\?.*)?$
\.torrent(\?.*)?$

You will still be hated for limiting people’s need to download and install shit on their Windows but you implemented it the right way and no script kiddie can brag about bypassing you ;)

11 thoughts on “Squid proxy : blocking download of some file extensions

  1. Sylvain

    I hate you!
    OK, so you block ?, but what about # ?
    Do Squid consider it part of the url?

    Reply
    1. ultrabug Post author

      Good question indeed, usually it should not but I guess squid would consider it in the regex matching. So I might indeed be missing the # !

      Since you’re not hating me that much, would be kind enough to try and report back to me so I can fix my post thanks to your insight ? :)

      Reply
  2. Sylvain

    OK now I hate you twice as much:
    - because the anchor seems to be not included in the urlpath for squid. And it makes sense because it’s the same content being accessed/cached, and the anchor is supposed to be processed on the client side. So your regex matches well.
    - and because for some reason I could download all file types before you applied this patch (even without ?) and now I can’t.

    So thank you Mr SysAdmin!

    Reply
  3. Bayo

    Does this work for squid version 3.1.19? I tried it on this version and it didn’t work. Please assist.

    Reply
    1. ultrabug Post author

      Well it should. As 3.1.19 is only a minor release of squid we can expect that they didn’t break anything. What exactly doesn’t work mate ?

      Reply
      1. Bayo

        I followed the steps above to block torrents both in url and also tried to block the torrent application by configuring the acl port denied. But all did not work on squid3

        acl smile_lan src 10.32.0.0/23
        acl limited_users src 10.32.0.0/23
        acl blockExtensions urlpath_regex -i “/etc/squid3/blockExtensions.acl”

        acl SSL_ports port 443
        acl Safe_ports port 80 # http
        acl Safe_ports port 21 # ftp
        acl Safe_ports port 443 # https
        acl Safe_ports port 70 # gopher
        acl Safe_ports port 210 # wais
        #acl Safe_ports port 1025-65535 # unregistered ports
        acl Safe_ports port 280 # http-mgmt
        acl Safe_ports port 488 # gss-http
        acl Safe_ports port 591 # filemaker
        acl Safe_ports port 777 # multiling http
        acl Denied_ports port 1025-65535
        acl CONNECT method CONNECT
        acl download method CONNECT
        acl download method GET

        http_access allow manager localhost
        http_access deny manager

        # Deny requests to certain unsafe ports
        http_access deny !Safe_ports
        http_access deny Denied_ports

        # Deny CONNECT to other than secure SSL ports
        http_access deny CONNECT !SSL_ports
        http_access deny CONNECT Denied_ports

        http_access allow localhost
        http_access allow smile_lan
        http_access allow !blockExtensions

        Reply
        1. ultrabug Post author

          Hello Bayo,

          The http_access rules are processed consecutively until one matches.
          In your case, if the host you’re trying to limit is part of the smile_lan, it will be allowed to access any URL because the rule is written before the !blockExtensions one.

          I think that to resolve this you can either use :
          http_access allow localhost
          http_access allow !blockExtensions smile_lan

          or

          http_access allow localhost
          http_access deny blockExtensions
          http_access allow smile_lan

          Hope this helps.

          Reply
  4. ara

    this method will not apply for https links with blocked attachments.. For example when zip attachment is blocked you can still download through yahoo emails and or dropbox .. Any way to block all those as well that are going through https?

    Reply
    1. ultrabug Post author

      That would require SSL inspection which, AFAIR, you could do on the websites where you actually have the private SSL key but not the others.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>