Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    File upload in squid

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mangeshgg
      last edited by

      Hi,

      I want to restrict file upload through squid proxy.

      Do anyone have an idea about such type of  ACL?
      Or
      Is there any other way to restrict FILE UPLOAD on PFSENSE?

      Mangesh

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        If there is an option to limit how much data can be sent in an HTTP POST request, you could use that.  If such an option exists, you would not want to set the limit too low or legitimate form data might be cut off as well.  Other than that, I don't recall whether there is actually any way of determining whether a section of data in an HTTP POST request was entered from a form or is a file; there may not be.

        1 Reply Last reply Reply Quote 0
        • B
          brah
          last edited by

          There is a way in vanilla pfSense, although it might not be implemented on the GUI.

          @http://www.experts-exchange.com/OS/Linux/Administration/Q_23504337.html:

          Out of squid.conf:

          #  TAG: request_body_max_size  (KB)
          #      This specifies the maximum size for an HTTP request body.
          #      In other words, the maximum size of a PUT/POST request.
          #      A user who attempts to send a request with a body larger
          #      than this limit receives an "Invalid Request" error message.
          #      If you set this parameter to a zero (the default), there will
          #      be no limit imposed.

          #Default:

          request_body_max_size 0 KB

          This will limit file uploads for ALL users going over this proxy as this currently can't be ACL driven.

          I played a bit and found a solution that should work (at least in my limited testing, it worked):

          You need to add the following lines to your squid.conf:

          –-------------------
          external_acl_type request_body %{Content-Length} /var/tmp/request.sh
          acl request_max_1 external request_body 1000000
          acl request_max_3 external request_body 3000000

          /var/tmp/request.sh is the external helper program needed (see code snippet below) and may be placed at any location you want (probably /usr/lib/squid/, this is (on my system) the directory where all the other helper apps reside).

          1000000 would mean 1MB is allowed and 300000 would mean 3MB are allowed (change according to your needs)

          Now you need to apply access rules based on this acls in your squid.conf, f.e.x:

          acl powerusers src 192.168.1.0/24
          acl students src 192.168.2.0/24

          http_access allow powerusers request_max_3
          http_access allow students request_max_1

          I hope this works for you, it does for me.

          #!/bin/sh
 
while read size limit; do
  if [ "${size}" -gt "${limit}" ]; then
    echo ERR
  else
    echo OK
  fi
done

          –--------------------

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.