Squid content filtering: Block / download of music MP3, mpg, mpeg, exec file by extensions

Posted on in Categories , , , , , , , , , last updated March 31, 2017

For security reasons and to save bandwidth I would like to configure Squid proxy server such way that my users should not download all of the following files:
MP3
MPEG
MPG
AVG
AVI
EXE

How do I configure squid content filtering?

You need to use squid ACL (access control list) to block all files by extensions.

How do I block music files using squid content filtering ACL?

First open your squid.conf file /etc/squid/squid.conf, run:
# vi /etc/squid/squid.conf
Now add the following lines to your squid ACL section:

acl blockfiles urlpath_regex -i "/etc/squid/blocks.files.acl"
You want display custom error message when a file is blocked:
# Deny all blocked extension
error_directory /usr/share/squid/errors/English
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles

Save and close the file.Create a custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory:
# vi /usr/share/squid/errors/English/ERR_BLOCKED_FILES
Append following content:

<HTML>
<HEAD>
<TITLE>ERROR: Blocked file content</TITLE>
</HEAD>
<BODY>
<H1>File is blocked due to new IT policy</H1>
<p>Please contact helpdesk for more information:</p>
<ul>
 <li>Phone: 555-12435 (ext 44)</li>
 <li>Email: [email protected]</li>
</BODY>
</HTML>

Now create a new file named /etc/squid/blocks.files.acl file:
# vi /etc/squid/blocks.files.acl
Append following text:
\.exe(\?.*)?$
\.avi(\?.*)?$
\.bat(\?.*)?$
\.tar(\?.*)?$
\.mpg(\?.*)?$
\.mp3(\?.*)?$
\.mp4(\?.*)?$

Save and close the file. Restart Squid:
# /etc/init.d/squid restart
Squid in action:

Fig.01: Squid in action
Fig.01: Squid in action

Say hello to rep_mime_type

To block Active Stream Format (Windows Media Player) and flash video format, add the following in your squid.conf:

acl media rep_mime_type x-ms-asf
acl mediapr urlpath_regex \.(afx|asf)(\?.*)?$

acl media rep_mime_type video/flv video/x-flv
acl mediapr urlpath_regex \.flv(\?.*)?$

http_access deny mediapr
http_reply_access deny media

Save and close the file. Reload squid server:
# systemctl reload squid
OR
# squid -k reconfigure

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

83 comment

  1. In Squid, i want to do the routing through users?
    eg. user-a, user-b if user a can access internet then data transer through 246kbps line & if user-b access internet then it’s data transer through 1mbps line.
    [note:- user-a & user-b can set any where, any pc in network]

  2. it worked for me , but it seems that still users are able to download files dont know how.
    how i can totally block the download from users.
    if u have downloading agent, then it by-pass and start download.
    How can i make it strong so that no one can download any thing through any software.

  3. Hi ,
    i was config my proxy successfully. But i can’t access my outlook. i think its prots are blocked.
    Then how can i unlock my outlook ports…
    If anybody konw the solution, Please Immediately send to me… my NAT server ip was given to the gateway of my proxy server and proxy server gateway was given to the users gateway.. Its correct or not ..
    If u know any other way….. please share with me…

    I want the correct solution immediately…

    MY personal EMAIL ID is [email protected]

  4. Dear Sir,

    I have followed your step-by-step instruction to block download files.

    i succesfully manage to block the files while clicking selected files. and i received error msg from squid.

    Unfortunately i still manage to download that file by simply using “Save Link As..” menu as i right click the mouse.

    it seem like users still manage to download prohibited file as configured in squid by using right click menu.

    please advice.

    regards

    amin

  5. [email protected] says:

    Help!

    What if i want to…
    replace “Men at work” with “Aliens at party”

    Is this possible ?
    Can i do this in squid without using any addons ?

  6. This did not work at all. It is not blocking downloads. Yes one thing was possible that downloading by right clik and save target was stoped, rest all downloads are working. Not a good solution. Pls advise for another.

  7. Hai friends pls help me in this

    I our Company we have 200 system and one linux server i want to configure squid in a way that no body should download files in my network and 2 to 3 system i should give premision to download can any body help me plzzzzzzzzzz.

  8. Is it possible to block downloads from yahoo mail and other web based email in Squid? I can block downloads using the instructions above but it can only block direct download from a site.

  9. The blocking file list can be simpler by adding “-i” to the blockfiles statement in squid.conf, that is:
    acl blockfiles urlpath_regex -i “/etc/squid/blocks.files.acl”

    # and in
    # /etc/squid/blocks.files.acl
    .exe$
    .avi$
    .mpg$
    .mpeg$
    .mp33$

  10. shankar, you can do it like this:
    in your squid.conf

    acl special_grp src “/etc/squid/special_grp”
    acl blocked_files url_regex -i “/etc/squid/blocked_files


    http_access allow special_grp blocked_files
    http_access deny !special_grp blocked_files


    # make sure the above lines are above the line “http_access allow our_networks”

    in your /etc/squid/special_grp enter the ips of the systems (one ip per line) that you allow to download and in your /etc/squid/block_files enter the following content
    \.exe$
    \.avi$
    \.mpg$
    \.mpeg$
    \.mp3$

    Then reload squid and you are all set.

  11. i want me to download mp3 of my choice but it is blocked.it just saves the file as HTML document rather than mp3 format how i can get rid of it.i use the intrnet provided by LAN of my company.

  12. Hi everone,I had configure squid proxy server still it’s working but i need restrict to downloads for users can u help.already i am doing like.acl blickfile urlpath _ regix -i “/etc/squid/blocks.filies.acl”
    http_access deny blockfiles
    deny_info ERR_BLOCKED_FILES blockfiles acl
    iam creating file block.files.acl under squid
    mention all extention on that file like \.exe$
    after restarting the sevice
    but .exe file will downloaded . Can you help where exact problem found.

    Thanks
    venkat

  13. Dear All,
    I have done above procedure & it is working good, but there is a problem,
    It also blocked symantec live update, Kindly help me for allow symantec live update with these reistrictions.
    Thankx

  14. sir I want to configure the squid proxy server file in such a way that it contains one public IP and two private IP (EX 192.168.0.1 172.16.0.1 ) and and block various sites (I.E orkut.com , blocl exe file download etc) but in some ip there is no rule ; please tell me how can i configure that proxy server .

  15. Please help me configure

    Sir,in my company we have two gateways and need to give access only to few selected people in my office. and they need to configure through squid. Please help me… Can anyone help me. If so i would be thankful to them

    Bala

  16. Is this possibe that if a network/IP not allowed in squid try to come through his/her browser ( by using the squid IP in the browser) then his/her browser should display a message ( you are not allowed to come throught this proxy or any other message)

    Waiting .

    Regards,
    Ishtiaq Ahmed

  17. Hi
    Dear
    i am usind squid in linux for proxy server i want to block the downloading , music file of all types of extensions image file for user side please guide mein this regard. & also i want to block chatting all kinds of messangers.

  18. Dear
    how are you i am facing a problem regarding blocking of unwanted sites in my network using squid please help me in this regards. i want to block all kinds of messangers, chat sites musical sites & all other voulger sites. i am waiting for your quick response.

    Thanks

    Amjad Shaikh

  19. @ Amjad

    Hi , you need to create the acl for that I wll give you the syntax for that

    under acl tag write like this
    acl block url_regex “/etc/squid/squid-block.acl”
    and under http_access block
    http_access allow manager should be changed to http_access allow all
    http_access deny block
    and create a seperate file squid-block.acl and list out those unwanted sites and then reload the squid.
    Make sure that ur internet connection is made through proxy

    Regarding messanger and chat sites you need to use iptables

  20. Dear Sir,

    I have followed your step-by-step instruction to block download files.

    i succesfully manage to block the files while clicking selected files. and i received error msg from squid.

    Unfortunately i still manage to download that file by simply using “Save Link As..” menu as i right click the mouse.

    it seem like users still manage to download prohibited file as configured in squid by using right click menu.

    please advice.

    regards
    kushal

  21. Vivek,

    Is this the route one would take to create a music download service? By that I mean, if a user has not paid for certain music, they can be restricted from downloading a particular track or album, however if they have paid they are granted access. Also, if it is a shared environment with access only to a DB such as MySQL and a scripting language such as PHP, how would this be possible?

  22. Dear
    AOA
    How are you, i hope that you are fine , on my MINUX Machine an error messgae is dispalyed when i start the machine please solve my problem on urgent bases the error message is as “Maximum Memory Performance is achieved with matched DIMMS. The Installed amountof memory in Channel A is not equal to the amount of press any key to continue”

    i am waiting for your quick & positive reply.

    Amjad Zia

  23. hiiii sir
    i have done user authentication and contain filtering in squid proxy server it is working good but io want to restrict all porn website only for student user not for HCl user so how can i configure user base contain filtering
    Thanks and Regards
    Manish Chaudhary

    1. Manish,
      U can simply add deny rule for restriction on IP base.
      Select the user to restrict add an acl with all IP addresses, add deny rule for that Acl (name that ACL as Student_Access etc)

      This may solve your problem.

      Umesh

  24. Hello all,

    I have different scenario. I have linux firewall and squid installed in different server.
    How can forward all lan clients to squid box from linux router, since forwarding from cisco router make squid box see all client coming from linux gateway ip. I want to see individual ip logs in squid box. How is it possible?

    cisco router
    |
    |
    Squid box (172.160.10.2)—–|——-Linux router (172.16.103)
    |
    eth1
    |
    LAN CLients (192.168.9.0/24)

  25. Hi I am new to this forum..Very useful for me where I blocked the contents using the above mentioned source codes. It works perfectly.

    But I need to allow the users to download a particular exe file alone. Help me how to do that in the squid.

    Help from anyone is highly appreciated.

  26. hi vivek,
    is it possible to customize squid to view download rates by the different IPs & manually terminating the downloads ?
    objective is to prevent big downloads (like movies,softwares) and not to penalise users requiring a small download of eg 3MB.

    Thanks,
    vicky [at] linuxmail.org

  27. dear,
    I want to give internet access control in my office. Now am using Ubuntu server and squid 2.7. I want to give access some web sites only to particular IP and want to give no internet access to some IPs. How it possible?

  28. Hi experts please help me in blocking online games website using squid proxy. I tried many things. but nothing worked. I want to block miniclip.com and other flash games websites.

    Please help me with this.

  29. Hi,

    I have installed squid 3.0 in our network.
    everything is fine except, i am not able to open PDF files in my browser and Not able to attach files from gmail and yahoo.
    I have checked with upload size and download size. its correct.
    I think problem is with flash player or something else.
    Please provide me solution for the same.
    Thank you

  30. Can somebody give me the code on how to disable images from displaying on the browser. I was able to do this a long time ago in my squid. but i can not remember anymore.. I hope to hear a responce from anyone.. thank you…

  31. For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files:
    MP3
    MPEG
    MPG
    AVG
    AVI
    EXE

    1. Torrent cant be blocked by squid.
      I see Intrusion Prevention System like SNORT/SURICATA have capability to detect and block torrent traffic based on signitures.
      Still torrent can make its own way.

      The best practice is you can block LAN User/IP address completly for 15-20 minutes who found having torrent traffic.

  32. have installed squid 3.0 in our network.
    everything is fine except, i am not able to open PDF files in my browser and Not able to attach files from gmail and yahoo.
    I have checked with upload size and download size. its correct.
    I think problem is with flash player or something else.
    Please provide me solution for the same.

  33. Is there any guide about blocking files by their signatures using squid ?
    I want to write my own code to check if a file have the specific signature and block it if necessary and use this code with squid.
    Will really appreciate any help.

  34. this can help to block file types.

    acl blockExtensions rep_mime_type -i “/etc/squid/extension.acl”
    http_reply_access deny blockExtensions

    file contain of “/etc/squid/extension.acl”

    ^application/octet-stream
    ^audio/mpeg
    ^video/x-msvideo

    this will block :
    application/octet-stream (.exe, .bz2, .core, .cab, etc..)
    audio/mpeg (.mp2, .mp3, .mpga )
    video/x-msvideo (.avi)

    you can add more file types to block by ref. from mime.conf file.

Leave a Comment