Search squid archive

Re: squid 3 acl browser

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 24 Jun 2009 15:43:07 +0200, Erwann PENCREACH
<erwann.pencreach@xxxxxxxxxxxxxx> wrote:
> Amos Jeffries a écrit :
>> Erwann PENCREACH wrote:
>>> Ralf Hildebrandt a écrit :
>>>> * Erwann PENCREACH <erwann.pencreach@xxxxxxxxxxxxxx>:
>>>>> ok, I made changes
>>>>>
>>>>> nodst and contenttype acl works fine (I'll look later for squidguard 
>>>>> and  dansguardian)
>>>>>
>>>>> browser filtering doesn't work at all
>>>>>
>>>>> external_acl works fine
>>>>>
>>>>> I don't understand what I'm doing wrong with User-agent filtering
>>>>
>>>> But I already told you. MSIE says it's Mozilla. Your regular
>>>> expression is wrong.
>>> You're right I've just checked both User agents :
>>>
>>> # MSIE    : User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
>>> 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
>>> # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; 
>>> rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1
>>>
>>> acl becomes :
>>>
>>> acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/
>>>
>> 
>> Mozilla and Gecko are both engines that generate HTTP requests and parse

>> HTTP replies on demand. Along with various other HTTP related 
>> activities. They are both used in a vast number of browsers and browser 
>> clones and fake agents.
>> 
>> I would guess you actually want the "Firefox" branding interface for 
>> Gecko. Commonly known as the Mozilla Firefox web browser.
>> 
>> User-Agent: is easily forged, so don't hang your security on it please. 
>> It's best to use it only in deny (ie for unknowns and non-matching) and 
>> leave the allow permissions to more strict ACL types.
>> 
>> Amos
> 
> you're right, that's why I deny all but those three UA
> 
> firefox, isn't the solution, cause the debian port is called Iceweasel
> 
> filtering on gecko allows Firefox, Thunderbird, Iceweasel and Icedove to 
> go through this acl, and let the following acl do the rest of filtering.
> 
> All the security, isn't done by the proxy. Our users aren't able to 
> install any software on the computers so chance to have an other browser 
> is minimal
> 

Cool. You do seem a lot more clued in than previous posts would suggest :)

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux