On 16/11/17 21:29, Vieri wrote:
________________________________
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
The following works:
acl denied_useragent browser Chrome
acl denied_useragent browser MSIE
acl denied_useragent browser Opera
acl denied_useragent browser Trident
[...]
http_access deny denied_useragent
http_reply_access deny denied_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent denied_useragent
The following works for HTTP sites, but not for HTTPS sites in an ssl-bumped setup:
acl allowed_useragent browser Firefox/
[...]
http_access deny !allowed_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=allowed_useragent allowed_useragent
The User-Agent along with all HTTP layer details in HTTPS are hidden
behind the encryption layer. TO do anything with them you must decrypt
the traffic first. If you can decrypt it turns into regular HTTP traffic
- the normal access controls should then work as-is.
So why does my first example actually work even for https sites?
If you are decrypting the traffic, then it works as I said exactly the
same as for HTTP messages.
If you are not decrypting the traffic, but receiving forward-proxy
traffic then you are probably blocking the CONNECT messages that setup
tunnels for HTTPS - it has a User-Agent header *if* it was generated by
a UA instead of an intermediary like Squid.
acl denied_useragent browser Chrome
acl denied_useragent browser MSIE
acl denied_useragent browser Opera
acl denied_useragent browser Trident
[...]
http_access deny denied_useragent
http_reply_access deny denied_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent denied_useragent
If the above "works" then another way would be to use a negated regular expression such as:
acl denied_useragent browser (?!Firefox)
but I don't think it's allowed.
AFAIK that feature is part of a different regex grammar than the one
Squid uses.
PS. you do know the UA strings of modern browsers all reference each
other right? "Chrome like-Gecko like Firefox" etc.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users