Search squid archive

RE: ACL based on header (iPhone)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I should have been more specific. How can I setup squid to allow ActiveSync (the mail app from the iPhone). I have what I think is the correct config, but everytime I open the mail app I just get stuff like bad password prompts and stuff.

In the logs:

1252955858.226      1 10.x.x.x TCP_MISS/401 1942 OPTIONS https://proxyowa.server.net/Microsoft-Server-ActiveSync - FIRST_UP_PARENT/owa_ssl text/html
1252955858.286      1 10.x.x.x TCP_MISS/401 1942 OPTIONS https://proxyowa.server.net/Microsoft-Server-ActiveSync - FIRST_UP_PARENT/owa_ssl text/html
1252955858.351      1 10.x.x.x TCP_MISS/401 1942 OPTIONS https://proxyowa.server.net/Microsoft-Server-ActiveSync - FIRST_UP_PARENT/owa_ssl text/html

Squid config:

acl OWA dstdomain proxyowa.server.net
acl url_allow url_regex -i ^https://proxyowa.server.net/rpc.*$
acl url_allow url_regex -i ^https://proxyowa.server.net/exchange.*$
acl url_allow url_regex -i ^https://proxyowa.server.net/exchweb.*$
acl url_allow url_regex -i ^https://proxyowa.server.net/webmail.*$
acl url_allow url_regex -i ^https://proxyowa.server.net/OMA.*$
acl url_allow url_regex -i ^https://proxyowa.server.net/Microsoft-Server-ActiveSync.*

cache_peer_access owaServer allow OWA
never_direct allow OWA

http_access allow url_allow
http_access allow OWA
http_access deny all
miss_access allow OWA
miss_access deny all





-----Original Message-----
From: Leonardo Rodrigues [mailto:leolistas@xxxxxxxxxxxxxx] 
Sent: Monday, September 14, 2009 5:52 PM
To: Nick Duda
Cc: 'squid-users@xxxxxxxxxxxxxxx'
Subject: Re:  ACL based on header (iPhone)

Nick Duda escreveu:
> Is it possible to have an ACL and http_access based on the User-Agent: Apple-iPhone/701.341 ?
>
> A test reverse OWA proxy we have is configured to prompt for authentication, and that would cause a problem with the Exchange email app on the iPhone. I want to have an http_access that checks to see if the request is coming from iPhone and allow access. I know the User Agent can be changed but this is a small start.
>
>   

    Sure you can. The 'browser' ACL matches exclusively on User-Agent 
request header and req_header ACl type can be used to match any other 
request header, if that's the case.

#       acl aclname browser  [-i] regexp ...
#         # pattern match on User-Agent header (see also req_header below)

#       acl aclname req_header header-name [-i] any\.regex\.here
#         # regex match against any of the known request headers.  May be
#         # thought of as a superset of "browser", "referer" and "mime-type"
#         # ACLs.


    probably something like:

acl iphone browser -i Apple-iPhone

    and using that correctly on your http_access rules would do the job. 
Keep in mind that if any other user forges the User-Agent header, which 
is easily done by the way, your rules would allow those requests. 
There's no way to have sure we're really dealing with an iPhone here.


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@xxxxxxxxxxxxxx
	My SPAMTRAP, do not email it






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux