[squid-users] Youtube "challenges"

[Steve Hill]

On 25/02/16 03:52, Darren wrote:

> The user visits a page on my server with the YouTube links. Visiting
> this page triggers a state based ACL (something like the captive portal
> login).
>
> The user then clicks a YouTube link and squid checks this ACL to see if
> the user is originating the request from my local page and if it is,
> allows the splice to YouTube and the video can play.

Squid can't tell that the requests were referred by your page - the 
iframe itself may have your page as the referrer (although that 
certainly isn't guaranteed), but the objects that are referred within 
that iframe won't have a useful referrer string.

You could dynamically create an ACL that allows the whole of youtube 
when the user has your page open, but that is fairly insecure since they 
could just open the page and then they would be allowed to access 
anything through youtube.

In my experience (and this is what we do), to be at all secure you have 
to analyse the page itself in order to figure out which specific URIs to 
whitelist (or at least, have those URIs hard-coded somewhere else).

Either way, YouTube uses https, so unless you're going to blindly allow 
the whole of youtube whenever a user visits your page, you're going to 
need to ssl bump the requests in order to have an ACL based on the 
referrer and path.  And as you know, ssl bumping involves sticking a 
certificate on each device.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com