I should have been more specific. How can I setup squid to allow ActiveSync (the mail app from the iPhone). I have what I think is the correct config, but everytime I open the mail app I just get stuff like bad password prompts and stuff. In the logs: 1252955858.226 1 10.x.x.x TCP_MISS/401 1942 OPTIONS https://proxyowa.server.net/Microsoft-Server-ActiveSync - FIRST_UP_PARENT/owa_ssl text/html 1252955858.286 1 10.x.x.x TCP_MISS/401 1942 OPTIONS https://proxyowa.server.net/Microsoft-Server-ActiveSync - FIRST_UP_PARENT/owa_ssl text/html 1252955858.351 1 10.x.x.x TCP_MISS/401 1942 OPTIONS https://proxyowa.server.net/Microsoft-Server-ActiveSync - FIRST_UP_PARENT/owa_ssl text/html Squid config: acl OWA dstdomain proxyowa.server.net acl url_allow url_regex -i ^https://proxyowa.server.net/rpc.*$ acl url_allow url_regex -i ^https://proxyowa.server.net/exchange.*$ acl url_allow url_regex -i ^https://proxyowa.server.net/exchweb.*$ acl url_allow url_regex -i ^https://proxyowa.server.net/webmail.*$ acl url_allow url_regex -i ^https://proxyowa.server.net/OMA.*$ acl url_allow url_regex -i ^https://proxyowa.server.net/Microsoft-Server-ActiveSync.* cache_peer_access owaServer allow OWA never_direct allow OWA http_access allow url_allow http_access allow OWA http_access deny all miss_access allow OWA miss_access deny all -----Original Message----- From: Leonardo Rodrigues [mailto:leolistas@xxxxxxxxxxxxxx] Sent: Monday, September 14, 2009 5:52 PM To: Nick Duda Cc: 'squid-users@xxxxxxxxxxxxxxx' Subject: Re: ACL based on header (iPhone) Nick Duda escreveu: > Is it possible to have an ACL and http_access based on the User-Agent: Apple-iPhone/701.341 ? > > A test reverse OWA proxy we have is configured to prompt for authentication, and that would cause a problem with the Exchange email app on the iPhone. I want to have an http_access that checks to see if the request is coming from iPhone and allow access. I know the User Agent can be changed but this is a small start. > > Sure you can. The 'browser' ACL matches exclusively on User-Agent request header and req_header ACl type can be used to match any other request header, if that's the case. # acl aclname browser [-i] regexp ... # # pattern match on User-Agent header (see also req_header below) # acl aclname req_header header-name [-i] any\.regex\.here # # regex match against any of the known request headers. May be # # thought of as a superset of "browser", "referer" and "mime-type" # # ACLs. probably something like: acl iphone browser -i Apple-iPhone and using that correctly on your http_access rules would do the job. Keep in mind that if any other user forges the User-Agent header, which is easily done by the way, your rules would allow those requests. There's no way to have sure we're really dealing with an iPhone here. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertrudes@xxxxxxxxxxxxxx My SPAMTRAP, do not email it