On Wed, 24 Jun 2009 15:43:07 +0200, Erwann PENCREACH <erwann.pencreach@xxxxxxxxxxxxxx> wrote: > Amos Jeffries a écrit : >> Erwann PENCREACH wrote: >>> Ralf Hildebrandt a écrit : >>>> * Erwann PENCREACH <erwann.pencreach@xxxxxxxxxxxxxx>: >>>>> ok, I made changes >>>>> >>>>> nodst and contenttype acl works fine (I'll look later for squidguard >>>>> and dansguardian) >>>>> >>>>> browser filtering doesn't work at all >>>>> >>>>> external_acl works fine >>>>> >>>>> I don't understand what I'm doing wrong with User-agent filtering >>>> >>>> But I already told you. MSIE says it's Mozilla. Your regular >>>> expression is wrong. >>> You're right I've just checked both User agents : >>> >>> # MSIE : User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT >>> 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) >>> # Mozilla : User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; >>> rv:1.9.0.1; .NET CLR 2.0.50727; ffco7) Gecko/2008070208 Firefox/3.0.1 >>> >>> acl becomes : >>> >>> acl checkua browser Gecko/ ^Keyvelop$ ^ClamWin/ >>> >> >> Mozilla and Gecko are both engines that generate HTTP requests and parse >> HTTP replies on demand. Along with various other HTTP related >> activities. They are both used in a vast number of browsers and browser >> clones and fake agents. >> >> I would guess you actually want the "Firefox" branding interface for >> Gecko. Commonly known as the Mozilla Firefox web browser. >> >> User-Agent: is easily forged, so don't hang your security on it please. >> It's best to use it only in deny (ie for unknowns and non-matching) and >> leave the allow permissions to more strict ACL types. >> >> Amos > > you're right, that's why I deny all but those three UA > > firefox, isn't the solution, cause the debian port is called Iceweasel > > filtering on gecko allows Firefox, Thunderbird, Iceweasel and Icedove to > go through this acl, and let the following acl do the rest of filtering. > > All the security, isn't done by the proxy. Our users aren't able to > install any software on the computers so chance to have an other browser > is minimal > Cool. You do seem a lot more clued in than previous posts would suggest :) Amos
