Home / server / Questions / 1051701
Accepted
acgbox
Asked: 2021-01-30 11:06:11 +0800 CST

How to block mime_types by https with Squid?

  • 772

I have this rule to block extensions:

acl bl_ext url_regex -i "/path_to/bl_ext.txt"
http_access deny workdays bl_ext

Example content file "bl_ext.txt":

\.avi([a-zA-Z][0-9]*)?(\?.*)?$
\.m4a([a-zA-Z][0-9]*)?(\?.*)?$
\.m4r([a-zA-Z][0-9]*)?(\?.*)?$
\.m4v([a-zA-Z][0-9]*)?(\?.*)?$
\.mid([a-zA-Z][0-9]*)?(\?.*)?$
\.mov([a-zA-Z][0-9]*)?(\?.*)?$
\.mp3([a-zA-Z][0-9]*)?(\?.*)?$
\.mp4([a-zA-Z][0-9]*)?(\?.*)?$
\.mpeg4([a-zA-Z][0-9]*)?(\?.*)?$
\.mpeg([a-zA-Z][0-9]*)?(\?.*)?$
\.mpegps([a-zA-Z][0-9]*)?(\?.*)?$
\.mpg([a-zA-Z][0-9]*)?(\?.*)?$
#etc, etc, etc

And this rule to block mime_type:

acl bl_mt rep_mime_type -i "/path_to/bl_mt.txt"
http_reply_access deny bl_mt

Example content file "bl_mimetype.txt":

^audio/mp4$
^audio/mpeg$
^audio/wav$
^audio/.wma$
^audio/x-midi$
^audio/x-mp3$
^audio/x-mp4$
^audio/x-mpeg$
^audio/x-mpegurl$
^audio/x-ms-wma$
^audio/x-pn-realaudio$
^audio/x-pn-realaudio-plugin$
^audio/x-scpls$
^audio/x-wav$
^video/
^video/3gpp$
^video/avi$
^video/flash$
^video/flv$
^video/mp4$
^video/mpeg$
^video/mpeg4$
^video/ogg$
# etc, etc, etc

But these rules don't work. According to the analysis I have done, it seems that Squid is unable to block extensions when it is https encrypted traffic (http only)

PD: Additionally I tried with these rules that I found on the internet and neither:

acl video rep_header Content-Type video\/.*
acl audio rep_header Content-Type audio\/.*
http_reply_access deny video
http_reply_access deny audio

and:

acl mediapr urlpath_regex \.(avi|mp4|mov|m4v|mkv|flv|mpg|mpeg|wmv|rmvb|afx|asf|swf)(\?.*)?$
acl mediaprapp url_regex dvrplayer mediastream ^mms://
http_access deny mediapr mediaprapp
# Media Streams
acl media rep_mime_type ^application/x-shockwave-flash$
acl media rep_mime_type ^video/x-ms-asf$
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1$
acl media rep_mime_type ^application/x-mms-framed$
acl media rep_mime_type ^audio/x-pn-realaudio$
acl media rep_mime_type ^video/
acl media rep_mime_type ^video\/
acl media rep_mime_type ^application/x-shockwave-flash
acl media rep_mime_type ^application/vnd.ms.wms-hdr.asfv1
acl media rep_mime_type ^application/x-fcs
acl media rep_mime_type ^application/x-mms-framed
acl media rep_mime_type ^video/x-ms-asf
acl media rep_mime_type ^audio/mpeg
acl media rep_mime_type ^audio/x-scpls
acl media rep_mime_type ^video/x-flv
acl media rep_mime_type ^video/mpeg4
acl media rep_mime_type ms-hdr
acl media rep_mime_type x-fcs
acl media rep_mime_type mms
acl media rep_mime_type x-ms-asf
acl media rep_mime_type video/flv
acl media rep_mime_type video/x-flv
http_reply_access deny media

But nothing happen

Is there any way to block file mime_type file extensions in Squid in proxy-cache mode (not transparent - intercept) coming over https (without using SSL Bumping)?. thanks

PD: If this definitely has to be done with SSL Bump, then I can't. And I wonder if there is another alternative or another program (like a ipset, fail2ban, iptables without string rules because they are unreliable, etc.)?

squid iptables

1 Answers

  1. Best Answer

    SSL Bump to set filters on Squid HTTPS content

    To set ACL's on HTTPS content, you will need to configure SSL Bump in Squid and import a cert that you generate into your browser and/or OS. Firefox has its own certificate store. Other browsers may use the certificate stores on the OS.

    Example from my squid proxy, including comments on how to generate the cert. The NoBump.txt file should contain domains that you do not want to man-in-the-middle, such as banks, some google sub-domains, paypal and anyone else that uses public key pinning.

    acl NoBump dstdomain -i "/etc/squid/acl/NoBump.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
# vi /etc/pki/tls/openssl.cnf # edit v3_ca to allow cRLSign, keyCertSign
#  cd /etc/squid/ssl_cert
#  openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
#  rsync -av /etc/squid/ssl_cert/myCA.pem /etc/pki/ca-trust/source/anchors/
#  update-ca-trust
#  openssl x509 -in myCA.pem -outform DER -out myCA.der
#  chown squid:squid *;chmod 00400 *.pem
#  Firefox -> Certs -> Authorities -> Import myCA.der
#
# You MUST first initialize the DB and chown its dir to squid:squid
# AND you MUST do this (recreate the DB) any time you change the CA certifiate.
#
# rm -Rf /var/lib/ssl_db
# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db -M 96MB
# chown -R squid:squid /var/lib/ssl_db
# restorecon -F -R -v /var/lib/ssl_db
#
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 96MB
sslcrtd_children 132 startup=32 idle=32
#
http_port 192.168.1.1:3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=32
MB version=1
host_verify_strict off
sslproxy_cafile /etc/ssl/certs/ca-bundle.crt
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
#sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_options ALL
sslproxy_session_cache_size 64 MB
ssl_bump peek step1
ssl_bump peek step2 NoBump
ssl_bump splice step3 NoBump
ssl_bump bump all
always_direct allow all

    This is just an example. It would be best to read up on these options and different methods of accomplishing this on Squid's website, as this will change with newer versions of Squid and may vary depending on the version of Squid you are using. Especially pay attention to host_verify_strict as you may want that on depending on what sites you plan to access through this proxy. You will have to add the cert you generated from the comments and import into your cert store of your browser and/or OS.

    • 2