On 25/02/16 03:52, Darren wrote:
The user visits a page on my server with the YouTube links. Visiting this page triggers a state based ACL (something like the captive portal login). The user then clicks a YouTube link and squid checks this ACL to see if the user is originating the request from my local page and if it is, allows the splice to YouTube and the video can play.
Squid can't tell that the requests were referred by your page - the iframe itself may have your page as the referrer (although that certainly isn't guaranteed), but the objects that are referred within that iframe won't have a useful referrer string.
You could dynamically create an ACL that allows the whole of youtube when the user has your page open, but that is fairly insecure since they could just open the page and then they would be allowed to access anything through youtube.
In my experience (and this is what we do), to be at all secure you have to analyse the page itself in order to figure out which specific URIs to whitelist (or at least, have those URIs hard-coded somewhere else).
Either way, YouTube uses https, so unless you're going to blindly allow the whole of youtube whenever a user visits your page, you're going to need to ssl bump the requests in order to have an ACL based on the referrer and path. And as you know, ssl bumping involves sticking a certificate on each device.
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
