January 19, 2020, 10:00pm
I have web Proxy & Filter activated and in Filter / configuration / edit / black & whitelist there is a field blocked extensions with: exe, zip. So why I still can download exe files? For example I tried to download thunderbird.exe and it was allowed. How is it possible to deny the users to download different filetypes?
Also in email / filter the setting at the bottom under attachements / advanced, where I can add extensions to the predefined doc,odt - when I try to save, there is an error while executing nethserver-mail/filter/update.
January 20, 2020, 9:07am
what configuration do you use? Tranparent with SSL?
Did you use cockpit or old server manager?
I found, that with cockpit the fileextension is not saved.
Can you please verify with
config show squidguard
BlockedFileType property is not changed on my system when using cockit.
If yes, it is a bug.
January 20, 2020, 12:18pm
I use transparent - but not with ssl. Yes, I setup and configure system with cockpit.
config show squidguard does not return anything.
January 20, 2020, 2:33pm
In Terminal it should return something like this:
config show squidguard
Please show output of
rpm -qa nethserver-squid*
January 20, 2020, 5:05pm
It does now, dont know, I rebooted the server inbetween and was playing around, but now it shows
[root@hostname ~]# config show squidguard
Maybe a typo… Anyway.
rpm -qa nethserver-squid*
Just tested, I could still download thunderbird setup.exe
@thunderbird.net. And I still cannot successfully modify and safe extensions list in spamd filter settings.
By the whay how where can I change redirect url?
January 21, 2020, 8:02am
It’s here the same. I can download exe-files although they’re should be blocked. Maybe a limitation of filtering https.
To change the redirect url please have a look at:
Example of cgi-file:
This file has been truncated.
# Explain to the user that the URL is blocked and by which rule set
# Original by Pål Baltzersen 1999 (email@example.com)
# French texts thanks to Fabrice Prigent (firstname.lastname@example.org)
# Dutch texts thanks to Anneke Sicherer-Roetman (email@example.com)
# German texts thanks to Buergernetz Pfaffenhofen (http://www.bn-paf.de/filter/)
# Spanish texts thanks to Samuel GarcÃa).
# Rewrite by Christine Kronberg, 2008, to enable an easier integration of
# other languages.
# By accepting this notice, you agree to be bound by the following
# This software product, squidGuard, is copyrighted (C) 1998-2008
# by Christine Kronberg, Shalla Secure Services. All rights reserved.
# This program is free software; you can redistribute it and/or modify
January 21, 2020, 2:10pm
Do you have “Block file extensions” enabled?
You find it in “Edit Filter” / 2nd “What” / “Advanced Options”
January 22, 2020, 7:50am
After having setup completely new installation, as I changed from internal ourdomain.local to external ourdomain.work, I checked again.
I can add extensions to web proxy filter. Yes, block extensions is activated. I tried with the following two files and could still download them:
Thunderbird.net and sqlexpress express download. For testing purpose I also added pdf to the extension list, and I could still access them.
Within mail proxy I still cannot safe the extension list when adding some extension like exe and or zip. Executing nethserver-mail/filter/update in terminal shows:
No such file or directory
January 22, 2020, 12:03pm
I tried several time to configure it, but I wasn’t able to block such downloads too.
I’ve to say, never tested it before. But I’m also out of ideas for the moment.
Has someone an idea what’s wrong @ support_team?
EDIT: Now I found the corresponding threat
In Web content filter, Enable expression matching on URL and set a List of blocked file extensions:
Filters: Edit desired filter(s) and enable Block file extensions:
On current tests, blocking on http works but no file extensions are blocked through https, possibly due to peek and splice method ??:
Note also that Block HTTP and HTTPS ports option will influence connection behavior.
It seems it’s a limitation of filtering https-trafic, as I assumed earlier.
January 24, 2020, 5:02pm
Unencrypted HTTPS only shows the domain (
www.google.com) it doesn’t see any of the path or parameters.
January 24, 2020, 7:37pm
Does that mean, that it is not possible to filter all those extensions at all, if they are downloaded from https?
February 21, 2020, 2:20pm
Can someone please confirm? Do I understand correctly that filtering file extensions is not possible for https connection but only for unencrypted http, or is this a bug?
February 21, 2020, 2:48pm
File extensions with https DO pose a problem in my experience.
Especially when we’re talking about proxy or filtering…
Our clients have NO problems saving files with .exe extensions, be it word.exe, thunderbird.exe or cryptoransom.exe…
My 2 cents