How to block output traffic for uploading files with Zentyal

[filipe bezerra]

I want to block all traffic to upload any file using Zentyal. I have version 3.0.21 installed and running as a DNS server, DHCP.

In addition, the server has two interfaces. One as an external interface to receive an IP address from the DHCP on my router and another as an internal interface and static address.

I know Zentyal has the function of QoS and bandwidth optimization (Bandwidth Throttling), but none of them can help me deal with this requirement.

So can anyone help me set up this server to control output traffic via upload any file, I say, any kind of file must be blocked.

Best Regards.

[christian]

Look at this, it may give you some idea. This is based on file size.

Approach based on mime type might not be always reliable unless you're able to write the right regular expression.
BTW, did you try various mime types settings ?


oops, sorry, I just forgot: you do need to enable HTTP proxy and enable filtering too otherwise this is useless 

[filipe bezerra]

Thank you for you reply,

I've made ​​changes in my squid.conf according to this tutorial. I actually replaces the entire text of my original squid.conf / etc/squid3 / with the settings in this tutorial.

I did as tutorial says and it did not work. I am newbie with Zentyal and I have no knowledge on configuring squid.

Help me with this thing. How should I properly configure the squid.conf? My current setup is:

Code: [Select]

http_port 3128 intercept
# END_TAG #

visible_hostname (frontal)ProxyServer.proxy-editoraw.lan
coredump_dir /var/spool/squid3
cache_effective_user proxy
cache_effective_group proxy
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log

pid_filename /var/run/squid3.pid

cache_peer localhost parent 3130 0 no-query proxy-only login=*:nopassword

auth_param basic realm Zentyal HTTP proxy
auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b ou=Users,dc=proxy-editoraw,dc=lan -u uid -p 390
acl_uses_indirect_client on
acl authorized proxy_auth REQUIRED

acl from_localhost src 127.0.0.0/8 ::1
acl to_localhost dst 127.0.0.0/8 ::1


http_access allow to_localhost
follow_x_forwarded_for allow from_localhost
forwarded_for on
log_uses_indirect_client on
always_direct allow to_localhost

# force clients to use squid-external
never_direct allow all


##
## ACLs from model rules
##
##
## Access
##



##
## Default policy
##
# All acces denied by default if no other allow rule matchs
http_access deny all
# reply access allowed if not denied before
http_reply_access allow all

And the setup from tutorial is:

Code: [Select]

acl all src all
http_port 3128
access_log /var/log/squid/access.log squid

external_acl_type request_body %{Content-Length} /usr/bin/upload.sh
# 1MB max upload
acl noupload external request_body 1024000

http_access deny !noupload
http_access allow all

The point here is ... as I have to merge these settings for the squid works correctly with the current configuration, more rule to block the file upload?

[christian]

What you need is also to read this Zentyal documentation (if not already done) because modifying directly squid.conf will never work.

[filipe bezerra]

Thank you again for your reply.

I'll read this documentation and search for a solution.

[filipe bezerra]

Hi christian,

Please help me with this configuration. I applied this script (http://agix.com.au/blog/?p=2006):

Code: [Select]

acl all src all
http_port 3128
access_log / var / log / squid / access.log squid

external_acl_type request_body% {Content-Length} / usr / bin / upload.sh
# 1MB max upload
acl noupload external request_body 1024000

http_access deny! noupload
http_access allow all

Now create your script file:

touch / usr / bin / upload.sh
chmod 755 / usr / bin / upload.sh

The Following add content to your new script file "/ usr / bin / upload.sh":

#! / Bin / sh
while read size limit, the
  if ["$ {size}"-gt "$ {limit}"], then
    echo ERR
  else
    echo OK
  phi
done

In a custom script in the directory hooks to be executed before the modules to be saved, in this case, the module squid. The directory is /etc/Zentyal/hooks/, file squid.presetconf, configured as follows:

Code: [Select]

#! / Bin / sh

acl all src all
http_port 3128
access_log / var / log / squid / access.log squid

external_acl_type request_body% {Content-Length} / usr / bin / upload.sh
# 1MB max upload
acl noupload external request_body 1024000

http_access deny! noupload
http_access allow all

exit 0

And it did not work as I expected, ie, the file upload control is not being done. Tested on services like GMail, and Mega Outlook.com.

[christian]

I suppose you don't yet understand how hook works.
Idea with hooks is to modify service configuration.
What you wrote is not modifying anything as far as I understand.

What oyu could also to before trying to write hook is to use customized conf file, copying original conf file in /etc/zentyal/stubs/ as described in link above.
You can then modify it and give a try without having changes rest when service restarts.

[filipe bezerra]

I was able to apply the rules of squid in a template using the Zentyal hooks. Uploading files in http requests is blocked correctly, unlike what happens when a form is https, the rules are not applied and the lock does not happen.

My settings are applied as follows:

Hook in: /etc/zentyal/hooks/squid.presetconf with the script:

Code: [Select]

#!/bin/sh

mkdir-p /etc/zentyal/stubs/squid

cp /usr/share/zentyal/stubs/squid/squid.conf.mas /etc/zentyal/stubs/squid

echo "
\ n
acl network src 172.16.0.0/32
request_body_max_size 1KB network

"\ >> /etc/zentyal/stubs/squid/squid.conf.mas

exit 0

Using the template squid + the hook of the Zentyal pre reconfiguration + Squid ACL rules + request_body_max_size, I can perform the rule on requests coming from http forms.

Now I would like some help to handle requests coming form https.

[filipe bezerra]

I still have the same problem. I can not block outgoing traffic (upload) through the https protocol. Someone please have a solution?