Search squid archive

Re: block user agent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 16/11/17 21:29, Vieri wrote:


________________________________
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>



The following works:

acl denied_useragent browser Chrome
acl denied_useragent browser MSIE
acl denied_useragent browser Opera
acl denied_useragent browser Trident
[...]
http_access deny denied_useragent
http_reply_access deny denied_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent denied_useragent

The following works for HTTP sites, but not for HTTPS sites in an ssl-bumped setup:

acl allowed_useragent browser Firefox/
[...]
http_access deny !allowed_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=allowed_useragent allowed_useragent


The User-Agent along with all HTTP layer details in HTTPS are hidden
behind the encryption layer. TO do anything with them you must decrypt
the traffic first. If you can decrypt it turns into regular HTTP traffic
- the normal access controls should then work as-is.



So why does my first example actually work even for https sites?
If you are decrypting the traffic, then it works as I said exactly the same as for HTTP messages.
If you are not decrypting the traffic, but receiving forward-proxy traffic then you are probably blocking the CONNECT messages that setup tunnels for HTTPS - it has a User-Agent header *if* it was generated by a UA instead of an intermediary like Squid. 



acl denied_useragent browser Chrome
acl denied_useragent browser MSIE
acl denied_useragent browser Opera
acl denied_useragent browser Trident
[...]
http_access deny denied_useragent
http_reply_access deny denied_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent denied_useragent

If the above "works" then another way would be to use a negated regular expression such as:
acl denied_useragent browser (?!Firefox)
but I don't think it's allowed.
AFAIK that feature is part of a different regex grammar than the one Squid uses.
PS. you do know the UA strings of modern browsers all reference each other right? "Chrome like-Gecko like Firefox" etc. 

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux